XSS for days
at the lack of better ideas, there is now a discord server with an @everyone for all future important updates such as this one
- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
IMPORTANT - recent security / vulnerability fixes
- v1.8.7 (this release) - GHSA-f54q-j679-p9hh - reflected XSS
- v1.8.6 (2023-07-21) - GHSA-cw7j-v52w-fp5r - reflected XSS
- v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal
- all serverlogs reviewed so far (5 public servers) showed no signs of exploitation
bugfixes
- reflected XSS through
/?k304and/?setck- if someone tricked you into clicking a URL containing a chain of
%0dand%0athey could potentially have moved/deleted existing files on the server, or uploaded new files, using your account - if you use a reverse proxy, you can check if you have been exploited like so (also checks for GHSA-cw7j-v52w-fp5r):
- nginx: grep your logs for URLs containing
%0d%0a%0d%0a, for example using the following command:(gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -iE '%0[da]%0[da]%0[da]%0[da]|[?&](hc|pw)=.*[<>]'
- nginx: grep your logs for URLs containing
- if you find any traces of exploitation (or just want to be on the safe side) it's recommended to change the passwords of your copyparty accounts
- huge thanks again to @TheHackyDog !
- if someone tricked you into clicking a URL containing a chain of
- the original fix for CVE-2023-37474 broke the download links for u2c.py and partyfuse.py
- fix mediaplayer spinlock if the server only has a single audio file
⚠️ not the latest version!
Contributors
TheHackyDog