ID NODEJS:554 Type nodejs Reporter Yasin Soliman Modified 2018-01-12T00:03:03
Description
Overview
The serve-here module is a small web server that serves files with the
process' working directory acting as the web root.
It is vulnerable to a directory traversal attack.
This means that files on the local file system which exist outside of the web
root may be disclosed to an attacker. This might include confidential files.
Mitigating Factors: If the node process is run as a user with very limited
filesystem permissions, there is significantly less risk of exposing
confidential/private information.
{"id": "NODEJS:554", "bulletinFamily": "software", "title": "Directory Traversal", "description": "## Overview\n\nThe serve-here module is a small web server that serves files with the\nprocess' working directory acting as the web root.\n\nIt is vulnerable to a directory traversal attack.\n\nThis means that files on the local file system which exist outside of the web\nroot may be disclosed to an attacker. This might include confidential files.\n\nMitigating Factors: If the node process is run as a user with very limited\nfilesystem permissions, there is significantly less risk of exposing\nconfidential/private information.\n\nProof of Concept:\n\n \n \n curl \"http://${SERVER_IP}:${SERVER_PORT}/..%2f..%2fetc/passwd\"\n \n\n## Remediation\n\nserve-here has been [deprecated by the\nauthor](https://github.com/vivaxy/here/issues/18) and replaced by\n[@vivaxy/here](https://www.npmjs.com/package/@vivaxy/here)\n\nrun `npm i @vivaxy/here` to install the new module.\n\n## References\n\n * <https://github.com/vivaxy/here/commit/298dbab41344dfb7f95f66b1fa7b5cfb436bd4a2>\n * <https://hackerone.com/reports/296254>\n\n", "published": "2018-01-12T00:03:03", "modified": "2018-01-12T00:03:03", "cvss": {"score": 7.5, "vector": "NONE"}, "href": "https://nodesecurity.io/advisories/554", "reporter": "Yasin Soliman", "references": [], "cvelist": [], "type": "nodejs", "lastseen": "2018-01-15T08:52:43", "history": [{"bulletin": {"affectedSoftware": [{"name": "Node.js serve-here", "operator": "le", "version": "3.2.0"}], "bulletinFamily": "software", "cvelist": [], "cvss": {"score": 7.5, "vector": "NONE"}, "description": "## Overview\n\nThe serve-here module is a small web server that serves files with the\nprocess' working directory acting as the web root.\n\nIt is vulnerable to a directory traversal attack.\n\nThis means that files on the local file system which exist outside of the web\nroot may be disclosed to an attacker. This might include confidential files.\n\nMitigating Factors: If the node process is run as a user with very limited\nfilesystem permissions, there is significantly less risk of exposing\nconfidential/private information.\n\nProof of Concept:\n\n \n \n curl \"http://${SERVER_IP}:${SERVER_PORT}/..%2f..%2fetc/passwd\"\n \n\n## Remediation\n\nWe have created an issue asking the author to publish, but as of right now the\npatched version has not been published to npm.\n\nBecause of this, at the moment the module will need to be updated by npm\ninstalling directly from git:\n\n \n \n npm i git+https://github.com/vivaxy/here.git#298dbab41344dfb7f95f66b1fa7b5cfb436bd4a2\n \n\n## References\n\n<https://github.com/vivaxy/here/commit/298dbab41344dfb7f95f66b1fa7b5cfb436bd4a2>\n<https://hackerone.com/reports/296254>\n\n", "edition": 1, "enchantments": {"score": {"modified": "2018-01-12T04:52:26", "value": 3.8}}, "hash": "b288ec9d1c29ce646993436744e002635293a43978e86732970ed6e3e190efc4", "hashmap": [{"hash": "a94e62e230cd7c71f80f287781d8b8da", "key": "description"}, {"hash": "98bf531a73513896396bcf1eca8c6792", "key": "reporter"}, {"hash": "ca0c21502777f149618d77530c17c960", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "4c2f4fc1be112d857d23bed8679a401b", "key": "cvss"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "671a0da0ba061c98de801409dbc57d7e", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "72fe74c659683954635b78b1e5757bdf", "key": "title"}, {"hash": "72b4f88440aa0e0327dc404047650289", "key": "modified"}, {"hash": "72b4f88440aa0e0327dc404047650289", "key": "published"}, {"hash": "7041d78666d151ae788e8804e51d700d", "key": "affectedSoftware"}], "history": [], "href": "https://nodesecurity.io/advisories/554", "id": "NODEJS:554", "lastseen": "2018-01-12T04:52:26", "modified": "2018-01-12T00:03:03", "objectVersion": "1.3", "published": "2018-01-12T00:03:03", "references": [], "reporter": "Yasin Soliman", "title": "Directory Traversal", "type": "nodejs", "viewCount": 39}, "differentElements": ["description", "affectedSoftware"], "edition": 1, "lastseen": "2018-01-12T04:52:26"}], "edition": 2, "hashmap": [{"key": "affectedSoftware", "hash": "b8ff975743285f7db32665eabae84dad"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "4c2f4fc1be112d857d23bed8679a401b"}, {"key": "description", "hash": "008a6cc46dedba0183aa4b74d583abbc"}, {"key": "href", "hash": "ca0c21502777f149618d77530c17c960"}, {"key": "modified", "hash": "72b4f88440aa0e0327dc404047650289"}, {"key": "published", "hash": "72b4f88440aa0e0327dc404047650289"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "98bf531a73513896396bcf1eca8c6792"}, {"key": "title", "hash": "72fe74c659683954635b78b1e5757bdf"}, {"key": "type", "hash": "671a0da0ba061c98de801409dbc57d7e"}], "hash": "dcc3bddd9b9b6768694670b766d1e871ed93cd4bfc1210f9e4a338cc7f927f9f", "viewCount": 39, "enchantments": {"vulnersScore": 5.0}, "objectVersion": "1.3", "affectedSoftware": [{"name": "Node.js serve-here", "operator": "le", "version": "All"}]}