Salvo Web Framework Directory Listing Vulnerability Allowing Stored Cross-Site Scripting

A stored cross-site scripting vulnerability has been identified in the Salvo web backend framework for Rust, affecting versions through 0.88.0. The issue arises in the 'list_html' function of the 'serve-static' crate, which generates a file view of a directory without properly sanitizing file or folder names. This lack of sanitation could lead to the execution of malicious scripts, particularly in scenarios where public file access is allowed and users can upload files.

Impact

Exploitation of this vulnerability allows for the execution of JavaScript in the context of the user, which could lead to an account takeover, depending on the website's security measures such as Content Security Policy.

Reproduction

To reproduce this vulnerability, upload a file with a name containing malicious JavaScript into a Salvo application version through 0.88.0 that uses the 'serve-static' feature. After uploading, navigate to the directory listing where the file was uploaded. The malicious script will be executed, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to Salvo version 0.88.1, where this vulnerability has been patched.