CVE-2018-3716

Vulnerability

The simplehttpserver npm package before version 0.1.0 contains a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file names [1][2]. When the server is used to list directory contents, it does not sanitize or escape user-controlled file names, allowing an attacker to inject arbitrary HTML and JavaScript [1][2]. The vulnerability is present in any directory listing served by versions prior to 0.1.0.

Exploitation

An attacker must be able to upload or create a file with a crafted filename on the server that is served by simplehttpserver. When a victim accesses the directory listing exposed by the server, the malicious filename is rendered unsanitized in the HTML response, causing the attacker's script to execute in the victim's browser. No special network position beyond typical web access is required [1][2].

Impact

Successful exploitation leads to execution of arbitrary JavaScript in the context of the victim's browser session. This can result in information disclosure (e.g., session cookies, local storage), credential theft, or other actions that can be performed by a malicious script. The attack is limited to the browser context and does not directly compromise the server [1][2].

Mitigation

The vulnerability is fixed in version 0.1.0 of simplehttpserver [1][2]. Users should upgrade to at least version 0.1.0. If upgrading is not immediately possible, a workaround is to avoid using the directory listing feature of simplehttpserver or to validate and sanitize file names before serving them, but the recommended mitigation is to update the package [2].