Description

ExpressJs used with Handlebars as templating engine (invoked via hbs view engine) is vulnerable to a Local File Read vulnerabilty that allows an attacker to read arbitrary files using the layout parameter. The vulnerability appears when code like the example below is used: 

var express = require('express');
var router = express.Router();

router.get('/', function(req, res, next) {
 	res.render('index')
});

router.post('/', function(req, res, next) {
	var profile = req.body.profile
 	res.render('index', profile)
});

module.exports = router;
The problem lies with the following line of code: 
res.render('index', profile)
.

Remediation

Use the code pattern 

res.render('index', { profile })
instead of 
res.render('index', profile)

References

The Secret Parameter, LFR, and Potential RCE in NodeJS Apps

Related Vulnerabilities

WordPress Plugin CIP4 Folder Download Widget Local File Inclusion (1.10)

WEBrick v.1.3 directory traversal

WordPress Plugin JetWidgets for Elementor and WooCommerce Local File Inclusion (1.1.7)

MODX Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2018-1000208)

WordPress Plugin Media from FTP Directory Traversal (9.85)

Severity

High

Classification

CWE-22 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Directory Traversal