Salvo Web Framework Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in the Salvo web backend framework for Rust, affecting versions through 0.88.0. The issue arises in the 'list_html' function, which generates a file view of a folder. The current path is inserted into the HTML without proper sanitization, allowing for the execution of JavaScript. This vulnerability can be exploited by having a subdirectory in the root path, which triggers the directory listing instead of a 'Not Found' page.

Impact

Exploitation of this vulnerability allows for the execution of JavaScript in the victim's browser, which could lead to an account takeover, depending on the site's security constraints such as Content Security Policy.

Reproduction

To reproduce this vulnerability, create a directory structure with a subfolder under 'uploads'. Then, use a Salvo server application that serves static files from the 'uploads' directory. When the 'files' route is accessed, the 'list_html' function will be called, inserting the current path into the HTML without proper sanitization. This allows for the execution of injected JavaScript.

Remediation

Users can upgrade to Salvo version 0.88.1 or later, where this vulnerability has been patched.