QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2017-16224

Back to search

CVE-2017-16224

Published: Jun 7, 2018

Modified: Sep 16, 2024

PUBLISHED

Description

st is a module for serving static files. An attacker is able to craft a request that results in an HTTP 301 (redirect) to an entirely different domain. A request for: http://some.server.com//nodesecurity.org/%2e%2e would result in a 301 to //nodesecurity.org/%2e%2e which most browsers treat as a proper redirect as // is translated into the current schema being used. Mitigating factor: In order for this to work, st must be serving from the root of a server (/) rather than the typical sub directory (/static/) and the redirect URL will end with some form of URL encoded .. ("%2e%2e", "%2e.", ".%2e").

VendorProductVersions

HackerOne

st node module

affected
<=1.2.1

Weaknesses (CWE)

CWE-601

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now