Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Directory Traversal #10

Closed
JacksonGL opened this issue Apr 18, 2017 · 4 comments
Closed

Directory Traversal #10

JacksonGL opened this issue Apr 18, 2017 · 4 comments

Comments

@JacksonGL
Copy link
Contributor

First of all, this is an awesome package with lots of functionalities.

It just has a directory traversal issue, which can be fixed by adding some filtering on the requested url path. To exploit the vulnerability, I can just send a web request say: http://localhost:80/../../../ to browse and retrieve any file on the hosting server.

Notice: the above url does not work with wget or a browser. Try it by using http.get in a Node.js program.
@shy2850
Copy link
Owner

shy2850 commented Apr 18, 2017

Thank you for so much concern. that will be fixed within a week. u can also pull request to me

@JacksonGL
Copy link
Contributor Author

I have created a pull request. Since I did not find test scripts, hopefully it will not break any existing functionality.

@JacksonGL
Copy link
Contributor Author

Cool! Thanks for merging the pull request and patching the package on npm.
Just a friendly reminder: the following packages may need to be patched as well since their source code points to this repo:

@shy2850
Copy link
Owner

shy2850 commented May 11, 2017

those packages have been all deprecated,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shy2850 @JacksonGL