Security Fix for Directory Traversal - huntr.dev #2

Open

huntr-helper wants to merge 2 commits from 418sec/master into master

huntr-helper commented

2020-09-10 11:07:19 +00:00

(Migrated from github.com)

Get involved at https://huntr.dev/

User Comments:

📊 Metadata *

quickserver is Quickly start a Node.js instance serving static files,
this package is vulnerable to Directory Traversal, which may allow access to sensitive files and data on the server.

Bounty URL: https://www.huntr.dev/bounties/1-npm-quickserver

⚙️ Description *

There is no path sanitization in the path provided making quickserver vulnerable against path traversal through the ../ technique, leading to information exposure and file content disclosure.

💻 Technical Description *

Fixed by sanitizing any occurrence of ../, using regexp.

🐛 Proof of Concept (PoC) *

Start the server
./bin/quickserver
Request private file from server
curl -v --path-as-is http://127.0.0.1:8080/../../../../../../../../../../../etc/passwd
/etc/passwd will be displayed.

🔥 Proof of Fix (PoF) *

After fix Response code 400 Bad request is returned to user instead of restricted file content

👍 User Acceptance Testing (UAT)

After fix functionality is unafected

https://huntr.dev/users/alromh87 has fixed the Directory Traversal vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this? Get involved at https://huntr.dev/ Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/quickserver/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/quickserver/1/README.md ### User Comments: ### 📊 Metadata * quickserver is Quickly start a Node.js instance serving static files, this package is vulnerable to Directory Traversal, which may allow access to sensitive files and data on the server. #### Bounty URL: https://www.huntr.dev/bounties/1-npm-quickserver ### ⚙️ Description * There is no path sanitization in the path provided making quickserver vulnerable against path traversal through the ../ technique, leading to information exposure and file content disclosure. ### 💻 Technical Description * Fixed by sanitizing any occurrence of ../, using regexp. ### 🐛 Proof of Concept (PoC) * 1. Start the server `./bin/quickserver` 2. Request private file from server `curl -v --path-as-is http://127.0.0.1:8080/../../../../../../../../../../../etc/passwd` 3. /etc/passwd will be displayed. ![quickserverPOC](https://user-images.githubusercontent.com/7505980/92407446-47ec6900-f143-11ea-95f9-65f257b990a3.png) ### 🔥 Proof of Fix (PoF) * After fix Response code 400 Bad request is returned to user instead of restricted file content ![quickserverFix](https://user-images.githubusercontent.com/7505980/92407559-97cb3000-f143-11ea-87cc-cd407a48c6b8.png) ### 👍 User Acceptance Testing (UAT) After fix functionality is unafected ![quickserverOk](https://user-images.githubusercontent.com/7505980/92407467-5175d100-f143-11ea-9a20-eb2a15c80dff.png)

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin 418sec/master:418sec/master

git switch 418sec/master

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master

git merge --no-ff 418sec/master

git switch 418sec/master

git rebase master

git switch master

git merge --ff-only 418sec/master

git switch 418sec/master

git rebase master

git switch master

git merge --no-ff 418sec/master

git switch master

git merge --squash 418sec/master