Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sensitive information disclosure #13

Closed
goecho opened this issue May 18, 2018 · 13 comments
Closed

Sensitive information disclosure #13

goecho opened this issue May 18, 2018 · 13 comments

Comments

@goecho
Copy link

goecho commented May 18, 2018

Readable to /etc/passwd file
http://your-ip/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
@goecho
Copy link
Author

goecho commented May 18, 2018

Proposes to prevent access to non-web directories

@TheWaWaR
Copy link
Owner

I think you shouldn't run simple-http-server in /etc

@goecho
Copy link
Author

goecho commented May 23, 2018

I think it doesn't matter where it runs, it's a security hole.

@TheWaWaR
Copy link
Owner

TheWaWaR commented May 23, 2018
edited
Loading

The permission of /etc/passwd is -rw-r--r-- means whatever a normal user can read the file, why simple-http-server run by current user can't read the file?

@goecho
Copy link
Author

goecho commented May 24, 2018

The behavior of using other web-servers is different from it

@TheWaWaR
Copy link
Owner

But nginx can do that, https://serverfault.com/questions/588770/why-can-nginx-access-etc-pass

@alecdwm
Copy link

alecdwm commented May 23, 2019

I think simple-http-server is breaking user expectations by serving files above the current working directory.

For python's http.server, http://localhost:8000/..%2f will map to $(cwd)/.
Whereas for simple-http-server, http://localhost:8000/..%2f will map to $(cwd)/../.

A user who is not aware of this will be accidentally exposing their system to the network, particularly when they have the --upload flag enabled.

@Kinrany
Copy link

Kinrany commented Aug 28, 2019

I also expected simple-http-server to only serve the current working directory. Is that really not the case?

@Avi-D-coder
Copy link
Contributor

Avi-D-coder commented Aug 29, 2019
edited
Loading

Serving files above the path the server was invoked in/with is a major security issue. @TheWaWaR This issue should be reopened. I will fix it today. Additionally after It's fixed all previous versions should be marked with a security notice.

@TheWaWaR TheWaWaR reopened this Aug 29, 2019
@TheWaWaR
Copy link
Owner

Sorry, it's definitely a serious problem.

@Avi-D-coder
Copy link
Contributor

Fixed in #35

@Avi-D-coder
Copy link
Contributor

I could use a windows tester for #35 (comment)

TheWaWaR added a commit that referenced this issue Aug 31, 2019
@TheWaWaR
Merge pull request #35 from Avi-D-coder/fix-Sensitive
a95543a 
Fix: #13
@Kinrany
Copy link

Kinrany commented Aug 31, 2019

Thanks :D

@notthetup notthetup mentioned this issue Apr 14, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@TheWaWaR @Kinrany @alecdwm @goecho @Avi-D-coder