[min-http-server] Stored XSS in the filename when directories listing

I would like to report Stored XSS in module "min-http-server". It allows to inject malicious scripts in the file name, store them on the server, then execute these scripts in the browser via the XSS vulnerability. # Module **module name:** min-http-server **version:** 1.0.6 **npm page:** `https://www.npmjs.com/package/min-http-server` ## Module Description 一个零配置、轻量级的 http 静态资源服务器 means A zero-configuration, lightweight http static resource server ## Module Stats [0] downloads in the last day [4] downloads in the last week [35] downloads in the last month # Vulnerability ## Vulnerability Description This XSS vulnerability occurs due to the module represents filename(s) in HTML without any sanitization in listing directory page. In a result, any malicious scripts which are injected and stored on the server, would be executed in the client's browser. ## Steps To Reproduce: - Install the module ``` npm install -g min-http-server ``` - In the directory which will be served via min-http-server, create file with following names in directories ~/Desktop/: ``` " onmouseover=alert(1) " ``` {F486143} - Run 'min-http-server in "~/Desktop" directory : ``` min-http-server [tiny-http-server] static-server is starting at port 1138 [tiny-http-server] please enter localhost:1138 in the browser ``` - Open http://localhost:1138/ {F486143} - When mouseover event is trigger, a message will be popup via XSS vulnerability. {F486145} ## Patch User input should be properly sanitized and filtered both at the client and server side. Dangerous characters such as < > ' " % ; ) ( & + should either be disallowed or HTML encoded before displaying them on screen. ## Supporting Material/References: - Linux kali 4.15.0-kali2-amd64 - node 10.15.3 - npm 6.9 - Firefox ESR 60.5.1esr (64-bit) # Wrap up - I contacted the maintainer to let them know: N - I opened an issue in the related repository: N ## Impact It allows to inject malicious scripts in the file name, store them on the server, then execute these scripts in the browser via the XSS vulnerability.