Due to incorrect usage of path.join
, https://github.com/warren-bank/node-serve is vulnerable to Local File Inclusion vulnerability.
You can read more about this vulnerability and its side effects here: https://cwe.mitre.org/data/definitions/22.html
The vulnerable code is at ./lib/serve/bin/serve.js file, which you can access online via: https://raw.githubusercontent.com/warren-bank/node-serve/HEAD/lib/serve/bin/serve.js
If any of path.join
arguments is a relative path to the parent directory (../), the returned path can be outside the intended directory and this might lead to leakage of sensitive files.
Running the project:
We installed the dependencies using yarn install
, and then used node command to run the file node ./lib/serve/bin/serve.js
Verified proof-of-concept(poc) to read passwd file(Path traversal vulnerability):
curl --path-as-is server_address:port/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd
By default, running the vulnerable file opens a port in the network scope. Thus the Attack Vector (AV) of CVSS is: (N)etwork
Impact:
We've calculated the base score of the vulnerability as 7.5, with a severity of "High" using following the following vector_string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
You can view the CVSS score online via: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Mitigation:
We also prepared a patch, which we believe is secure against this attack. Patch file content:
@@ -3060,0 +3061,7 @@
+ if (path.normalize(decodeURI(request.url)) !== decodeURI(request.url)) {
+ response.statusCode = 403;
+ response.end();
+ return;
+ }
+
+ if (compress) {
You can apply the patch by using the patch
command:
patch --fuzz=3 --ignore-whitespace --verbose "./lib/serve/bin" -i patchfile.patch
This patch is generated with the help of AI, we verified it's working but still we recommend you verify that it correctly mitigates the bug and doesn't hurt the functionality of your software.
Credits: Jafar Akhoundali and Hamidreza Hamidi
Feedback:
We would like to know your opinion about the quality of this report by filling a really brief survey with 4 questions:
https://leidenuniv.eu.qualtrics.com/jfe/form/SV_4JkS2loxBXVDlum
Due to incorrect usage of
path.join
, https://github.com/warren-bank/node-serve is vulnerable to Local File Inclusion vulnerability.You can read more about this vulnerability and its side effects here: https://cwe.mitre.org/data/definitions/22.html
The vulnerable code is at ./lib/serve/bin/serve.js file, which you can access online via: https://raw.githubusercontent.com/warren-bank/node-serve/HEAD/lib/serve/bin/serve.js
If any of
path.join
arguments is a relative path to the parent directory (../), the returned path can be outside the intended directory and this might lead to leakage of sensitive files.Running the project:
We installed the dependencies using
yarn install
, and then used node command to run the filenode ./lib/serve/bin/serve.js
Verified proof-of-concept(poc) to read passwd file(Path traversal vulnerability):
By default, running the vulnerable file opens a port in the network scope. Thus the Attack Vector (AV) of CVSS is: (N)etwork
Impact:
We've calculated the base score of the vulnerability as 7.5, with a severity of "High" using following the following vector_string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
You can view the CVSS score online via: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Mitigation:
We also prepared a patch, which we believe is secure against this attack. Patch file content:
You can apply the patch by using the
patch
command:patch --fuzz=3 --ignore-whitespace --verbose "./lib/serve/bin" -i patchfile.patch
This patch is generated with the help of AI, we verified it's working but still we recommend you verify that it correctly mitigates the bug and doesn't hurt the functionality of your software.
Credits: Jafar Akhoundali and Hamidreza Hamidi
Feedback:
We would like to know your opinion about the quality of this report by filling a really brief survey with 4 questions:
https://leidenuniv.eu.qualtrics.com/jfe/form/SV_4JkS2loxBXVDlum