Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Fix for Directory Traversal - huntr.dev #1

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

huntr-helper
Copy link

https://huntr.dev/users/Asjidkalam has fixed the Directory Traversal vulnerability 🔨. Asjidkalam has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/webrepl/1/README.md

User Comments:

📊 Metadata *

Path traversal bug

Bounty URL: https://www.huntr.dev/bounties/1-npm-webrepl/

⚙️ Description *

webrepl is a Serve a repl for a node process via a web console, this package is vulnerable to Directory Traversal, which may allow access to sensitive files and data on the server.

For example, requesting the following url /../../etc/passwd would result in /etc/passwd leaking.

💻 Technical Description *

The path traversal issue exists because it fails to validate the req.url to check for path traversal payloads. The fix can be implemented by preventing requests with ../ in it's URL.

🐛 Proof of Concept (PoC) *

Create a index.js with:

var webrepl = require('webrepl');
webrepl.start(8080);

And try to GET: curl --path-as-is 'localhost:8080/../../../../../../../etc/passwd'

image

🔥 Proof of Fix (PoF) *

After the fix, it drops the connection with request error 500. Hence the path traversal issue is mitigated.

image

👍 User Acceptance Testing (UAT)

Validated the path for bad URLs, no breaking changes implemented.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants