CrisF: Vulnerability Report - Mina Node Monitor
I’ll add information reported here:
through node js you can get any file from the host
all monitor versions are affected since December 14, 2021 commit 7ee51e82d885af951fcb7ef5f9139d7ebc072d50
https://github.com/olton/mina-node-monitor/commit/7ee51e82d885af951fcb7ef5f9139d7ebc072d50
This is a feature of the nodejs (actually HTTP protocol), developers using it as a server must take care of security themselves.
https://github.com/olton/mina-node-monitor/blob/552607a18b3e91e66f7c9e1e14ade1643b23685f/server/index.js#L92
this code line
he doesn't sanitaze url from ".."
so attacker can get any file from host
Fixed, completely removed the code with this vulnerability