I would like to report Stored XSS via filename in directory listing in seeftl
It allows to inject malicious input in a filename that leads to stored XSS when directories listing.

Module

module name: seeftlversion:0.1.1npm page: https://www.npmjs.com/package/seeftl

Module Description

seeftl – 一个简单的预览ftl文件的静态服务器（在anywhere基础上改的）

仅仅是通过在ftl同级目录写一个config文件，替换ftl里的变量和宏 达到实时预览的功能：

Module Stats

[8] downloads in the last week

Vulnerability

Vulnerability Description

The XSS occurs due the module does not sanitize de representation of filename when directories listing.

Steps To Reproduce:

install seeftl:
$ npm install seeftl -g

Create a file with the following name:
" onmouseover=alert('xss') "

{F544502}

run seeftl server in the path that you created the file with the malicious filename:

$ seeftl
Running at http://127.0.0.1:8000/

Open http://localhost:8000/ in your browser.

{F544503}

Put the mouse over the filename and the event will be triggered and pop up the alert.

{F544504}

Patch

Users input should be sanitized and dangerous characters should be HTML encoded before printing them on screen.

Supporting Material/References:

• Kali Linux 2019.2 amd64
• v10.15.2
• 5.8.0
• Firefox ESR 60.7.2esr (64-bit)

Wrap up

• I contacted the maintainer to let them know: [N]
• I opened an issue in the related repository: [N]

Impact

It allows to inject malicious scripts in filenames and execute them in the browser via a XSS.