Miggo Logo

CVE-2017-16103: Directory Traversal in serveryztyzt

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.67352%
Published
9/1/2020
Updated
9/12/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
serveryztyztnpm>= 0.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper path sanitization when resolving user-controlled input (URL paths). While the exact implementation details aren't provided, directory traversal vulnerabilities in HTTP servers typically occur in the core request handling function that maps URLs to filesystem paths. The example attack shows the server processes URL paths with '../' sequences, indicating the file resolution logic lacks: 1) Path normalization checks, 2) Root directory confinement, and 3) Input sanitization. This pattern matches common Node.js server vulnerabilities where req.url is concatenated with a base directory without using safe path resolution libraries like path.resolve() with proper boundary checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `s*rv*ryztyzt` r*solv* r*l*tiv* *il* p*t*s, r*sultin* in * *ir**tory tr*v*rs*l vuln*r**ility. * m*li*ious **tor **n us* t*is vuln*r**ility to ****ss *il*s outsi** o* t** int*n*** *ir**tory root, w*i** m*y r*sult in t** *is*losur*

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* s*nitiz*tion w**n r*solvin* us*r-*ontroll** input (URL p*t*s). W*il* t** *x**t impl*m*nt*tion **t*ils *r*n't provi***, *ir**tory tr*v*rs*l vuln*r**iliti*s in *TTP s*rv*rs typi**lly o**ur in t** *or* r*qu*st