XSS via filename #28
Comments
|
Thanks for the report. I'm going to publish a fix ASAP right now. P.S. if you like, always feel free to email me directly for security issues :) You can always post publicly on the repo if the author (me in this case) does not seem to be responding in a reasonable amount of time :D |
|
Sorry, I'll do that in the future! I looked at http://expressjs.com/ for a security contact, but I should have just tried your email. |
|
No problem. We are working on a policy. I was mainly just talking in general :) |
|
Oh, I see, it's the |
|
...and the content, lol. Basically, only the |
|
Please feel free to confirm this fix :) |
|
Thanks, that seems to have fixed the one I reported. I found another, though: the directory/path indicator at the top of the index page needs escaping as well. Try an |
|
Awesome!! Fixing... |
|
Also, in the title tag. |
|
Ok, I think I may have gotten them all now. |
|
@andrewrk I'm pinging you because of the last |
|
I'm ok, thanks. I'd like the option to ask for it later if I have to deal with another bug report asking for the patch earlier, if that's OK. |
The option is always available :) I was just checking ahead of time just in case you happened to know :) |
|
This has been published to npm as 1.6.3. |
serve-index 1.6.0 is vulnerable to XSS (see expressjs/serve-index#28)
serve-index directory listings are vulnerable to XSS via arbitrary uploader-controlled filenames.
Repro steps:
cd public/ftptouch '<img src="" onerror="alert(0)">'I spotted this when testing webpack-dev-server, which is also vulnerable as it uses serve-index.
The text was updated successfully, but these errors were encountered: