luggs-co / ncrypt Goto Github PK

The output from find "CodeMirror/mode" -mindepth 1 -type d should be piped through sort to produce somewhat reproducable results.

The cert on https://ncry.pt has expired. When i went to send an email to the listed contact address ([email protected]) it does not go through (no MX record and the server that the A/AAAA records points to does not respond on port 25).

If "fullscreen" and "wrap-lines" are enabled when loading a paste (remembered in cookies), only the first 11 lines will be displayed; after a click on the bottom part the remaining text gets displayed.

Some modes (e.g. "gfm") require addon/mode/overlay, which is not included.

This leads to a runtime exception during load, breaking the complete site...

nginx doesn't allow combining rewrite and alias, so this is a little bit difficult. This is the best I came up with so far:

~~~~ nginx with alias ~~~~

# nginx doesn't allow combining rewrite and alias
# also set $__config['site']['url'] accordingly

location /paste/ {
	alias /srv/ncrypt/;
	index not-existing-file;

	fastcgi_split_path_info ^(/paste)(/.+)$;
	include fastcgi.conf; # default fastcgi params
	# overwrite some params
	fastcgi_param SCRIPT_FILENAME $document_root/index.php;
	fastcgi_param PATH_INFO $fastcgi_path_info;

	if (!-f $request_filename) {
		fastcgi_pass php-backend;
	}

	# there is no need to access any php file directly
	location ~ \.php$ {
		deny all;
	}
}

For transparency reason (and with the authorization of the NCrypt maintainer), the email I sent to NCrypt the 02/03/2017 is reproduced below:

I just found an XSS vulnerability in NCrypt.

How to reproduce

• A malicious user create a paste with the content: <script>alert('XSS')</script>
• (S)he sends the link to the targeted user
• The targeted user clones the paste
• The JS payload is executed

As far as I tested it, the choice of programming language don't change the result.

Note: the payload can be "hidden" in a lot of text or code in order to "trick" users.

As far as I know, the impact is quite limited because you don't store the previous posted links in the browser, but it can be used to de-anonymize users for example.

I found this vulnerability because I'm currently and voluntarily searching for XSS vulnerabilities in a lot of FLOSS.

I remain available for any additional comments or questions.

Best,
Martin