Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Major security issue with version 0.1.3 #32

Closed
murvinlai opened this Issue May 10, 2012 · 9 comments

Comments

Projects
None yet
5 participants

I use gzippo@0.1.3 and I create the server like that:

 app = express.createServer(
             gzip.staticGzip(__dirname + '/public', {maxAge:5000 }),
             express.cookieParser(),
             express.bodyParser()
    );

If i go to the url like that: https://www.myself.com/../../../../../etc/rsyslog.conf or other path, I can see any system file.

If I upgrade to gzippo@0.1.4 the problem seems not there. However, I don't know if 0.1.4 solve that problem purposely or it just disappear for that version.

Please test this module carefully.

Owner

tomgco commented May 10, 2012

This was fixed in #14 and #24 and deployed in @0.1.4

When installing older versions a warn is shown displaying: npm WARN deprecated gzippo@0.1.3: critical bug fixed in v0.1.4

@tomgco tomgco closed this May 10, 2012

Thanks.

Contributor

gilad61 commented May 28, 2012

Hi,
I would like to reopen this issue, as 0.1.4 still has it.
If I go to any url with '..' in it I can navigate back through the file system and get any file.
For example - http://localhost:8000/../../someFolder/someFile.txt

In connect they have a test to make sure you don't go back in the directories hierarchy:
// malicious path
if (root && 0 != path.indexOf(root)) return utils.forbidden(res);

where 'root' is the base dir, and 'path' is the full file path of the requested file.

Thanks!

dcolens commented Jun 20, 2012

am still seeing this issue in 0.1.4 ...

I just found out another problem..

http://local/etc/shadow

is another leak.

@murvinlai Same problem, gzippo doesn't check if the normalized path is under the paths it should be serving.

Also, don't run your node scripts as root - ever.

Owner

tomgco commented Jun 22, 2012

@murvinlai @wmertens What version of connect are you using and gzippo, as I cannot seem to replicate this problem. Also could you run the tests as well and let me know if anything fails?

Thanks

I see that this was added:
https://github.com/tomgco/gzippo/blob/master/lib/staticGzip.js#L158

but the gzippo version 0.1.4 I was testing at the time didn't have it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment