Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A directory traversal issue #8

Closed
JacksonGL opened this issue Dec 11, 2016 · 8 comments
Closed

A directory traversal issue #8

JacksonGL opened this issue Dec 11, 2016 · 8 comments

Comments

@JacksonGL
Copy link

This package is vulnerable to directory traversal. An attacker can provide input such as ../ to read files outside of the specified working directory.

@henrytseng
Copy link
Owner

Can you provide a more concrete example? I don't believe that's the case at all.

@JacksonGL
Copy link
Author

JacksonGL commented Dec 14, 2016

Sure, see the concrete example below that demonstrates the vulnerability:

  1. Set up a experiment directory A that contains a subdirectory B and a file C.
  2. Start hostr inside directory B so that hostr serves files in the working directory (B).
  3. Use the following node.js program to request file C, which is outside the working directory B:
var http = require('http');
http.get('http://localhost:3000/../C', (res) => {
  res.on('data', (chunk) => {
    console.log(chunk.toString());
  });
});

You can generalize this example a little bit by replacing http://localhost:3000/../C with some file that is more sensitive: http://localhost:3000/../../../etc/passwd. Since hostr also lists files in a directory, it basically allows an attacker to view and get any file on the hosting machine.

@henrytseng
Copy link
Owner

Yes, I'm familiar with directory traversal. Directory traversal is not possible because of the router. Start ../bin/hostr in the examples/ folder and run a quick curl command:

curl http://localhost:3000/../LICENSE

This was a quick development tool and not intended for production obviously. I hope you're not using it for anything production related. If there's a bug with a specific version of node let me know (e.g. - tested on 4.2.2 and 6.9.2 LTS). Thanks!

@JacksonGL
Copy link
Author

Right, curl will not work probably because of the router. That is why I spend time to type the JavaScript code in my previous response. The JS program will successfully retrieve the file over the network.

If I set up hostr as my local development tool, it serves all files (not just the files in the working directory) on my machine to the local network, which is dangerous.

@henrytseng
Copy link
Owner

henrytseng commented Dec 14, 2016

@JacksonGL The modules in the code were not intended to be used within a project it should be used as an external tool. I hope that makes sense

I'm using curl to test so that the request is sent to the operating system.

If your code is imports modules from hostr then you'd have to incorporate additional logic to prevent a tree traversal.

If your code is external it'll serve the same response:

@JacksonGL
Copy link
Author

JacksonGL commented Dec 14, 2016

Thanks for your reply. I try to tell you the vulnerability because it is published on npm and there are over 10k downloads. So I assume that there are some other people using your work as a development tool.

Not sure if I understand "using as an external tool" means precisely, I started the server using the hostr command provided by the tool. I tested the vulnerability by sending the request from both my local machine and another machine in the local network. And in both scenarios, I can successfully get any file on the hosting machine (outside the working directory).

PS: I think both curl and http.get send the request through the OS, since the http package is essentially a JS wrapper of OS system call. However, attacking from curl does not work, but attacking from the JS program actually works, I don't know why.

@henrytseng
Copy link
Owner

Hmmm. Okay, I'm seeing the issue now. I've added a simple filter.

@JacksonGL
Copy link
Author

Awesome! Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants