Summary
Files outside of the lib/public/ directory can be requested from the server.
Details
When a request for a file (from lib/public/) is made to the server, the URL path from the request is added to the end of lib/public/, and the file at this path is then read and sent back to the user:
|
function requestHandler(req, res) { |
|
req.url = url.parse(req.url, true); |
|
req.url.query = req.url.query || {}; |
|
req.url.path_list = path_list(req.url.pathname); |
|
function asset_request(req, callback) { |
|
var filename = path.join(__dirname, "public", req.url.path_list.join("/")); |
|
fs.access(filename, function(fs_err) { |
|
if (!fs_err) { |
|
fs.readFile(filename, function(err, data) { |
url.parse() does not resolve the path, allowing for path traversal (../) to be included in the path. This allows attackers to leave the lib/public/ directory and request any file the program is allowed to read.
PoC
It looks like Cloudflare blocks requests that try to do path traversal, but this shouldn't be relied on. Otherwise, this could be reproduced using the command curl https://crafatar.com/../server.js --path-as-is
Impact
Instances running behind Cloudflare (including crafatar.com) are not affected. Instances using the Docker container as shown in the README are affected, but only files within the container can be read. By default, all of the files within the container can also be found in this repository and are not confidential.
The issue has been fixed in bba004a (v2.1.5). Many thanks to @James-Bennett-295 for finding and reporting this vulnerability!
James-Bennett-295 Finder
jomo Remediation developer
Summary
Files outside of the
lib/public/directory can be requested from the server.Details
When a request for a file (from
lib/public/) is made to the server, the URL path from the request is added to the end oflib/public/, and the file at this path is then read and sent back to the user:crafatar/lib/server.js
Lines 64 to 67 in e0233f2
crafatar/lib/server.js
Lines 23 to 27 in e0233f2
url.parse()does not resolve the path, allowing for path traversal (../) to be included in the path. This allows attackers to leave thelib/public/directory and request any file the program is allowed to read.PoC
It looks like Cloudflare blocks requests that try to do path traversal, but this shouldn't be relied on. Otherwise, this could be reproduced using the command
curl https://crafatar.com/../server.js --path-as-isImpact
Instances running behind Cloudflare (including crafatar.com) are not affected. Instances using the Docker container as shown in the README are affected, but only files within the container can be read. By default, all of the files within the container can also be found in this repository and are not confidential.
The issue has been fixed in bba004a (v2.1.5). Many thanks to @James-Bennett-295 for finding and reporting this vulnerability!