Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY4Z3ItY21jcC1nM21q

Directory Traversal in lactate

A crafted GET request can be leveraged to traverse the directory structure of a host using the lactate web server package, and request arbitrary files outside of the specified web root. This allows for a remote attacker to gain access to arbitrary files on the filesystem that the process has access to read.

Mitigating factors:
Only files that the user running lactate has permission to read will be accessible via this vulnerability.

Proof of concept:
Please globally install the lactate package and cd to a directory you wish to serve assets from. Next, run lactate -p 8081 to start serving files from this location.

The following cURL request can be used to demonstrate this vulnerability by requesting the target /etc/passwd file:

curl "http://127.0.0.1:8081/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
[...]

Recommendation

As there is currently no fix for this issue selecting an alternative static web server would be the best choice.

Permalink: https://github.com/advisories/GHSA-68gr-cmcp-g3mj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY4Z3ItY21jcC1nM21q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 5 years ago
Updated: over 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-68gr-cmcp-g3mj
References:

• https://github.com/RetireJS/retire.js/commit/800c8140884eaa5753a49308f560c925fe97b9a5
• https://hackerone.com/reports/296645
• https://www.npmjs.com/advisories/560
• https://snyk.io/vuln/npm:lactate:20180123
• https://github.com/advisories/GHSA-68gr-cmcp-g3mj

Repository: https://github.com/RetireJS/retire.js
Blast Radius: 11.9

Affected Packages