xss_vuln_issue's People
xss_vuln_issue's Issues
关于安全漏洞的协调披露
Hello! This is ed, author of copyparty. Nice to meet you :-)
I see that you have been exploring my software for vulnerabilities. This is awesome, and I very much appreciate your efforts in doing so.
However, I was sad to see that you decided to post your findings publically, without letting me know first. Just like many other open source projects, copyparty has tried to make it as easy as possible to disclose of any such vulnerabilities in private. On the github project page, there is a security tab which explains how to get in touch with me. That way, we can work together on fixing the issue, and avoid zero-day vulnerabilities that could put people's safety at risk. And maybe you even get a cool CVE that you can put on your resume 👍
We were lucky this time, since this was not a vulnerability. The release notes of version 1.9.2 mention how there are several intended ways to execute arbitrary javascript on the server, for example by uploading html files. When your copyparty account has the necessary permissions to edit markdown documents, you also have the permission to upload files. And since copyparty is a general-purpose webserver, being able to execute uploaded javascript is intended behavior. However, copyparty also provides a better way to reliably execute arbitrary javascript in markdown documents, through the use of markdown plugins (the -emp
argument). An example of this can be seen here. I realize my project is poorly documented, but I am working on it 🙏
I hope that you continue your journey as a security researcher, and make many exciting discoveries. But I also hope you will be doing so through 关于安全漏洞的协调披露 whenever possible. Gain a great reputation as a responsible hacker 💯
Hope to hear from you some day :-)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.