Skip to content

Instantly share code, notes, and snippets.

@lirantal

lirantal/path-traversal-in-lite-dev-server.md Secret

Created October 21, 2022 17:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lirantal/0f8a48c3f5ac581ce73123abe9f7f120 to your computer and use it in GitHub Desktop.
Save lirantal/0f8a48c3f5ac581ce73123abe9f7f120 to your computer and use it in GitHub Desktop.
Download ZIP
Path traversal vulnerability in lite-dev-server@3.2.7
Raw
path-traversal-in-lite-dev-server.md

Path traversal vulnerability in lite-dev-server@3.2.7

lite-dev-server is an HTTP file server meant for local development, or as is it describes itself: This is http file server for develpment. This server supports livereload function and proxy function for your api server..

Observation:

  • Virtually zero downloads, so no considerable impact.
  • It was last published 3 years ago

Resources:

Background on exploitation

This file server library is vulnerable to Path Traversal attacks due to no input sanitization or other checks and protections employed to the req.url user input that is passed to the server code.

Line 134 of src/server.js, the isFile() helper is uses the request path directly as follows:

await isFile(`${folder}${req.url}`);

and later served to users in line 138:

              await giveFile(res, `${folder}${req.url}`, ext);

The isFile() function itself doesn't implement any security checks for the public folder as a boundary, but rather just checkes for existence of the file path:

src/helpers.js:

export const isFile = async path => {
  const stats = await fsp.stat(path);
  if(!stats.isFile()) return new Promise.reject(Error('this is not file'));
};

This vulnerability should probably be classified as a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

Proof of Concept exploit

  1. Install the latest version of lite-dev-server (npm install --save lite-dev-server@3.2.7)
  2. Make sure you have a public/ directory with files in it
  3. Have an server.js file which uses this package API to serve files (see contents below)
  4. Run the server node server.js
  5. Confirm the server started on the default port of 3000
  6. Send a request for files outside the static directory and confirm it is successful to employ a path traversal attack: curl --path-as-is "http://localhost:3000/../package.json and observe the contents of the file returned back in the response
.
├── public
│   └── index.html
|── server.js
└── package.json

server.js:

const liteDevServer = require("lite-dev-server");
liteDevServer( { folder: "public", watchFolders: ["public"]} );

Author

Liran Tal

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment