Headline
CVE-2020-36629: Security Fix for Path Traversal - huntr.dev by huntr-helper · Pull Request #36 · SimbCo/httpster
A vulnerability classified as critical was found in SimbCo httpster. This vulnerability affects the function fs.realpathSync of the file src/server.coffee. The manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. The name of the patch is d3055b3e30b40b65d30c5a06d6e053dffa7f35d0. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-216748.
https://huntr.dev/users/Mik317 has fixed the Path Traversal vulnerability 🔨. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/httpster/1/README.md
User Comments:****📊 Metadata *****Bounty URL: https://www.huntr.dev/bounties/1-npm-httpster****⚙️ Description *
The httpster file server was vulnerable against a path traversal issue which existed because symlinks were fetched and their content served without any warn/error.
💻 Technical Description *
I inserted a new router inside the express server which was created by httpster and used fs.lstat to check if the requested file is or not a symlink.
In case it is and the --symlink flag isn’t specified by the server (default false like in other servers like Nginx), an error is thrown.
🐛 Proof of Concept (PoC) *
- Download httpster
- ln -s /etc/passwd test
- httpster
- Go on http://localhost:3333/test and the content of the /etc/passwd file is shown
🔥 Proof of Fix (PoF) *
Same steps above, but an error is given instead of the content of the /etc/passwd file
Same steps but start the server with httpster --symlink and the /etc/passwd file is shown (option)
👍 User Acceptance Testing (UAT)
All ok 😄