Exposure of Information Through Directory Listing in @saltcorn/server

Q: How to fix?

Upgrade @saltcorn/server to version 1.0.0-beta.14 or higher.

Threat Intelligence

Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-SALTCORNSERVER-8163072
published6 Oct 2024
disclosed3 Oct 2024
creditAlessio Della Libera

Report a new vulnerability Found a mistake?

Introduced: 3 Oct 2024

CWE-548 (opens in a new tab)

How to fix?

Upgrade @saltcorn/server to version 1.0.0-beta.14 or higher.

Overview

@saltcorn/server is a Server app for Saltcorn, open-source no-code platform

Affected versions of this package are vulnerable to Exposure of Information Through Directory Listing due to missing validations of the build_dir_name parameter. This allows an attacker with admin permission to view files and directories on the filesystem.

Note: It is possible to only see file and directory names but not to download their content.

##Workaround Users who are not able to upgrade to the fixed version are advised to resolve the buildDir and check if it starts with ${rootFolder.location}/mobile_app.

PoC

Log into the application as an admin user
Visit the following url: http://localhost:3000/admin/build-mobile-app/result?build_dir_name=/../../../../../../../../

References

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
High
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Exposure of Information Through Directory Listing Affecting @saltcorn/server package, versions <1.0.0-beta.14

Severity