search

Jaguar-dart / jaguar

Jaguar, a server framework built for speed, simplicity and extensible. ORM, Session, Authentication & Authorization, OAuth
http://jaguar-dart.github.io
463 stars 34 forks source link

Directory traversal vulnerability for static file #157

Open leamlidara opened 2 years ago

leamlidara commented 2 years ago

This is my code server.staticFiles('/pf-img/*', 'profile');

and this is my url http://127.0.0.1:1337/pf-img/..%2Fdaplogfile.txt http://127.0.0.1:1337/pf-img/..%2F..%2Fdatabase.sql

both files are existed and accessible on my PC.

lexia-boris commented 2 years ago

You do know that you specify the folder? if you don't want those files accessible remove them from that folder.