Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@lirantal
Created October 21, 2022 16:48
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save lirantal/fdfbe26561788c8194a54bf6d31772c9 to your computer and use it in GitHub Desktop.
Save lirantal/fdfbe26561788c8194a54bf6d31772c9 to your computer and use it in GitHub Desktop.
Path traversal vulnerability in easy-static-server@0.1.1

Path traversal vulnerability in easy-static-server@0.1.1

easy-static-server is an HTTP file server, or as is it describes itself: an easy server for static files.

Observation:

  • Virtually zero downloads, so no considerable impact.
  • It was last published 6 years ago

Resources:

Background on exploitation

This file server library is vulnerable to Path Traversal attacks due to no input sanitization or other checks and sandboxes are employed to the req.url user input that is passed to the server code.

Line 27 in index.js, as shown below, joins the root path of the public directory with that of the path requested to access on the server yet fails to resolve the path for any directory traversals and implement security checks for the root directory bounds.

index.js (of easy-static-server@0.1.1):

		var file = path.join(root, url.parse(req.url).pathname);
		console.info(Date() + ": GET file:" + file);
		fs.exists(file, function(exists){

This vulnerability should probably be classified as a CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal').

Proof of Concept exploit

  1. Install the latest version of easy-static-server (npm install --save easy-static-server@0.1.1)
  2. Make sure you have a public/ directory with files in it
  3. Have an server.js file which uses this package API to serve files (see contents below)
  4. Run the server node server.js
  5. Confirm the server started on the default port of 3000
  6. Send a request for files outside the static directory and confirm it is successful to employ a path traversal attack: curl --path-as-is "http://localhost:3000/../package.json and observe the contents of the file returned back in the response
.
├── public
│   └── index.html
|── server.js
└── package.json

server.js:

const server = require('easy-static-server');
server('./public');

Author

Liran Tal

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment