Skip to content
This repository has been archived by the owner on Dec 19, 2023. It is now read-only.

[FIX] Path traversal disabling symlink #1

Merged
1 commit merged into from
Sep 3, 2020
Merged

Conversation

Mik317
Copy link

@Mik317 Mik317 commented Aug 25, 2020

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-httpster

⚙️ Description *

The httpster file server was vulnerable against a path traversal issue which existed because symlinks were fetched and their content served without any warn/error.

💻 Technical Description *

I inserted a new router inside the express server which was created by httpster and used fs.lstat to check if the requested file is or not a symlink.
In case it is and the --symlink flag isn't specified by the server (default false like in other servers like Nginx), an error is thrown.

🐛 Proof of Concept (PoC) *

  1. Download httpster
  2. ln -s /etc/passwd test
  3. httpster
  4. Go on http://localhost:3333/test and the content of the /etc/passwd file is shown

Screenshot from 2020-08-25 17-23-54

🔥 Proof of Fix (PoF) *

  1. Same steps above, but an error is given instead of the content of the /etc/passwd file

Screenshot from 2020-08-25 18-34-12

  1. Same steps but start the server with httpster --symlink and the /etc/passwd file is shown (option)

Screenshot from 2020-08-25 18-35-29

👍 User Acceptance Testing (UAT)

All ok 😄

Copy link

@bbeale bbeale left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ghost ghost merged commit 3c95007 into 418sec:master Sep 3, 2020
@huntr-helper
Copy link
Member

Congratulations Mik317 - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section. Your bounty is on its way - keep hunting!

This pull request was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants