I would like to report Stored XSS in module “min-http-server”.
It allows to inject malicious scripts in the file name, store them on the server, then execute these scripts in the browser via the XSS vulnerability.
module name: min-http-serverversion:1.0.6npm page: https://www.npmjs.com/package/min-http-server
一个零配置、轻量级的 http 静态资源服务器 means
A zero-configuration, lightweight http static resource server
[0] downloads in the last day
[4] downloads in the last week
[35] downloads in the last month
This XSS vulnerability occurs due to the module represents filename(s) in HTML without any sanitization in listing directory page. In a result, any malicious scripts which are injected and stored on the server, would be executed in the client’s browser.
npm install -g min-http-server
" onmouseover=alert(1) "
{F486143}
min-http-server
[tiny-http-server] static-server is starting at port 1138
[tiny-http-server] please enter localhost:1138 in the browser
Open http://localhost:1138/
{F486143}
When mouseover event is trigger, a message will be popup via XSS vulnerability.
{F486145}
User input should be properly sanitized and filtered both at the client and server side. Dangerous characters such as < > ’ " % ; ) ( & + should either be disallowed or HTML encoded before displaying them on screen.
It allows to inject malicious scripts in the file name, store them on the server, then execute these scripts in the browser via the XSS vulnerability.