I would like to report XSS in tianma-static
It allows XSS and HTML Injection
First of all, It is my first report and I am sorry that I am not good at English T.T
thank you.
module name: tianma-staticversion:1.0.4npm page: https://www.npmjs.com/package/tianma-static
> Provide a static file service.
If upload is possible, Attacker can upload html
file. Also content type of the response header becomes text/html
and it is possible to Stored XSS.
{F506823}
%2f
in path (example: http://127.0.0.1:8080/%2F), resolve
function make a normal path on the filesystem. but req.pathname
will print out a manipulated path.so I can insert any html.
{F506824}
Reflected XSS using HTML only is not easy bypass the modern browser.
but if I can upload any file, Reflected XSS is possible Using load script.
{F506825}
File content type
> - upload html file with XSS script.
> - xss fired
HTML Injection (reflected XSS)
> - upload any file with XSS script.
> - access /%2f<script src='/[filename]'></script>
> - xss fired
decodeURI
to decodeURIComponent
. or denied malicious path.If file upload is possible, XSS can occur.