Skip to content

Security Fix for Directory Traversal - huntr.dev#2

Open
huntr-helper wants to merge 2 commits into
wesleybliss:masterfrom
418sec:1-npm-sabu
Open

Security Fix for Directory Traversal - huntr.dev#2
huntr-helper wants to merge 2 commits into
wesleybliss:masterfrom
418sec:1-npm-sabu

Conversation

@huntr-helper

Copy link
Copy Markdown

https://huntr.dev/users/alromh87 has fixed the Directory Traversal vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/sabu/1/README.md

User Comments:

📊 Metadata *

sabu is a static file server, this package is vulnerable to Directory Traversal, which may allow access to sensitive files and data on the server.

Affected versions of this package are vulnerable to Directory Traversal.

Bounty URL: https://www.huntr.dev/bounties/1-npm-sabu/

⚙️ Description *

There is no path sanitization making sabu vulnerable against path traversal through the ../ technique, leading to information exposure and file content disclosure.

💻 Technical Description *

Fixed by sanitizing any occurrence of ../, using regexp.

🐛 Proof of Concept (PoC) *

  1. Start the server
    node bin/sabu
  2. Request private file from server
    curl -v --path-as-is http://127.0.0.1:8080/../../../../../../../../../../../home/alex/hacked.txt
  3. Private data will be displayed.

Captura de pantalla de 2020-09-15 15-11-07

🔥 Proof of Fix (PoF) *

After fix empty index page is returned to user instead of restricted file content
Captura de pantalla de 2020-09-15 15-09-33

👍 User Acceptance Testing (UAT)

After fix functionality is unafected

Captura de pantalla de 2020-09-15 15-09-58

alromh87 and others added 2 commits September 15, 2020 10:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants