-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Directory Traversal #10
Comments
Thank you for so much concern. that will be fixed within a week. u can also pull request to me |
I have created a pull request. Since I did not find test scripts, hopefully it will not break any existing functionality. |
Cool! Thanks for merging the pull request and patching the package on npm. |
those packages have been all deprecated, |
First of all, this is an awesome package with lots of functionalities.
It just has a directory traversal issue, which can be fixed by adding some filtering on the requested url path. To exploit the vulnerability, I can just send a web request say:
http://localhost:80/../../../
to browse and retrieve any file on the hosting server.Notice: the above url does not work with
wget
or a browser. Try it by usinghttp.get
in a Node.js program.The text was updated successfully, but these errors were encountered: