Skip to content

v1.0.7: Fix broken code

Choose a tag to compare

View all tags
@Neztore Neztore released this 02 Aug 20:34
· 66 commits to master since this release
v1.0.7
05409a7

Sorry folks. Really dropped the ball here.
The previous CSRF implementation broke file uploading. I've now fixed everything.
File uploading now only accepts authentication by header. This allows it not to need CSRF as attackers could not get the secret from cookie.

This release resolves a CSRF vulnerability present within the server.
This means that if you are logged into a Save-Server instance and you browse to a malicious site they could perform some actions such as creating Redirects, Deleting files, creating or updating users (If root)

They cannot GET files with this vulnerability, so they could not view your gallery - only modify it.

Assets 2
Loading