Mongoose 2.8.0 and earlier allows remote attackers to obtain the source code for a web page by appending a / (slash) character to the URI.
Mongoose versions 2.8.0 and earlier are vulnerable to a critical information disclosure flaw. This vulnerability allows remote attackers to retrieve the source code of web pages by simply appending a forward slash ('/') to the requested URI, potentially exposing sensitive information like credentials, API keys, and application logic. This could lead to a complete system compromise.
Step 1: Request Construction: The attacker crafts an HTTP GET request targeting a specific web page (e.g., /index.html).
Step 2: Payload Insertion: The attacker appends a forward slash ('/') to the end of the URI in the GET request (e.g., /index.html/).
Step 3: Request Submission: The attacker sends the modified HTTP GET request to the vulnerable Mongoose web server.
Step 4: Server Processing: The Mongoose server receives the request and attempts to locate the requested resource.
Step 5: Vulnerability Trigger: Due to the trailing slash, the server's path resolution logic fails to correctly identify the resource, and instead, it returns the source code of the file.
Step 6: Information Disclosure: The attacker receives the source code of the requested web page in the HTTP response.
The vulnerability stems from a flawed URI handling mechanism within Mongoose. Specifically, the web server fails to properly sanitize or validate the requested URI before attempting to serve the content. The addition of a trailing slash ('/') likely bypasses the intended path resolution logic, causing the server to return the source code file instead of rendering the intended webpage. This suggests a missing check or a misconfiguration in how Mongoose determines the file type or handles requests with trailing slashes. The root cause is likely a lack of input validation or a flawed implementation of the file serving logic, leading to an unintended exposure of the underlying source code.