Cross-site scripting (XSS) vulnerability in serve-lite@1.1.0
serve-lite descibres itself as: a lightweight http-server for static file-based web development.
Observation:
- Virtually zero downloads, so no considerable impact.
- It was last published 6 months ago
Resources:
- Project's GitHub source code: https://github.com/beenotung/serve-lite
- Project's npm package: https://www.npmjs.com/package/serve-lite
Background on exploitation
This file server library is vulnerable to cross-site scripting because when it detects a request to a directory it renders a file listing of all of its contents with links that include the actual file names without any sanitization or output encoding:
Lines 127-132 of server.js:
for (let file of files) {
let href = `${req.url}/${file}`.replace(/^\/\//, '/')
let stat = fs.statSync(path.join(dir, file))
let type = stat.isDirectory() ? 'D' : 'F'
res.write(`[${type}] <a href="${href}">${file}</a><br>`)
}This vulnerability should probably be classified as a CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
Proof of Concept exploit
- Install the latest version of
serve-lite(npm install --save lite-dev-server@1.1.0) - Make sure you have a
public/directory with files in it - Add a file into that directory named with an XSS payload in its name, such as
touch '><img src=x onerror=alert(1)>' - Run the server
node server.js 3000 public/ - Browse to the webpage at
http://localhost:3000/and confirm an alert popup
Author
Liran Tal
Thanks for the writing, this vulnerability is fixed in server-lite@1.1.2.
Patch commit: beenotung/serve-lite@f7a0062