Hello Node.js third-party modules
I would like to report path traversal in buttle module
It allows me to read any file in the server if i know the path.
module name: buttleversion:0.2.0npm page: https://www.npmjs.com/package/buttle
Simple static file (+ markdown) server.
[21] downloads in the last week
module mid-buttle.js uses regex to check the url containing the string “.markdown”. I think, the right check of the author wants, is string “.markdown” located the end of the url. But he forgot the $ in the regex. That is the first vulnerability. The second is he does not check for path traversal (…/).
var url = req.url;
if(/\.md$/i.test(url) || /\.markdown/i.test(url)) {
fs.exists(j(dir, url), function(exists) {
if(exists) {
fs.readFile(j(dir, url), {encoding: 'utf8'}, function(err, data) {
if(err) { return res.end(err.message); }
res.end(wrapInHtml(md(data)));
});
} else {
next();
}
});
} else {
next();
}
Link in github: https://github.com/jtrussell/buttle/blob/master/lib/mid-buttle.js#L16
install buttle
$ npm install -g buttle
start buttle
$ buttle ./
start the burpsuite. Enter the url contain string “.markdown” and …/ to traverse to the file you want.
{F302395}
I recommend that:
The malicious user can use this vulnerability to read some file containing credential, ssh key files, source code …