trinity-syt-security / xss_vuln_issue Goto Github PK

Hello! This is ed, author of copyparty. Nice to meet you :-)

I see that you have been exploring my software for vulnerabilities. This is awesome, and I very much appreciate your efforts in doing so.

However, I was sad to see that you decided to post your findings publically, without letting me know first. Just like many other open source projects, copyparty has tried to make it as easy as possible to disclose of any such vulnerabilities in private. On the github project page, there is a security tab which explains how to get in touch with me. That way, we can work together on fixing the issue, and avoid zero-day vulnerabilities that could put people's safety at risk. And maybe you even get a cool CVE that you can put on your resume 👍

We were lucky this time, since this was not a vulnerability. The release notes of version 1.9.2 mention how there are several intended ways to execute arbitrary javascript on the server, for example by uploading html files. When your copyparty account has the necessary permissions to edit markdown documents, you also have the permission to upload files. And since copyparty is a general-purpose webserver, being able to execute uploaded javascript is intended behavior. However, copyparty also provides a better way to reliably execute arbitrary javascript in markdown documents, through the use of markdown plugins (the -emp argument). An example of this can be seen here. I realize my project is poorly documented, but I am working on it 🙏

I hope that you continue your journey as a security researcher, and make many exciting discoveries. But I also hope you will be doing so through 关于安全漏洞的协调披露 whenever possible. Gain a great reputation as a responsible hacker 💯

Hope to hear from you some day :-)