npm

Severity: high

Directory Traversal

lactate

Overview

A crafted GET request can be leveraged to traverse the directory structure of a host using the lactate web server package, and request arbitrary files outside of the specified web root. This allows for a remote attacker to gain access to arbitrary files on the filesystem that the process has access to read.

Mitigating factors: Only files that the user running lactate has permission to read will be accessible via this vulnerability.

Proof of concept: Please globally install the lactate package and cd to a directory you wish to serve assets from. Next, run lactate -p 8081 to start serving files from this location.

The following cURL request can be used to demonstrate this vulnerability by requesting the target /etc/passwd file:

curl "http://127.0.0.1:8081/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
[...]

Remediation

As there is currently no fix for this issue selecting an alternative static web server would be the best choice.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. reported

    Initial report by Yasin Soliman (ysx)
    Jan 23rd, 2018
  2. published

    Advisory published
    Jan 23rd, 2018