You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
RTFN is subject to XSS. Please remove it from the links ASAP. I have no way of reaching out to the creators, please link me a repo somewhere where I could report this properly.I have contacted one of the creators by e-mail, but RTFN does not seem to be actively maintained, so I do not have high hopes that this will get resolved in a timely manner.
Proof
CRITICAL In the test fake newsgroup: https://rtfn.fr/news/rtfn.playground/1714620224716018/ (check your console after opening this page 👀). This is especially important as it is not monitored by the CRI and I doubt the maintainers are actively monitoring this newsgroup.
CRITICAL In a regular newsgroup: https://rtfn.fr/news/test/1397/. This is less critical but still extremely dangerous as the CRI may take time to respond to a suspicious news in a less monitored newsgroup.
HIGH In the newsgroup preview (not as much as an issue since users have to knowingly enter stuff there, but this can still happen when replying to a news)
What is even worse is that you have no way to know whether an article is malicious other than checking the page's source code, <script> blocks are invisible.
Although usernames are logged within RTFN's systems, it is very easy through social engineering to get a user's credentials. And even then, exploiting this vulnerability is trivial.
Quick calculations on the CVSS 3.1 calculator indicate a juicy High (8.5/10) severity, yummy!
The text was updated successfully, but these errors were encountered:
All HTML tags are now stripped in news title, content, tags and signature. This fix also applies to previews on the homepage and on the newsgroup details page.
RTFN is subject to XSS. Please remove it from the links ASAP.
I have no way of reaching out to the creators, please link me a repo somewhere where I could report this properly.I have contacted one of the creators by e-mail, but RTFN does not seem to be actively maintained, so I do not have high hopes that this will get resolved in a timely manner.Proof
What is even worse is that you have no way to know whether an article is malicious other than checking the page's source code,
<script>
blocks are invisible.Although usernames are logged within RTFN's systems, it is very easy through social engineering to get a user's credentials. And even then, exploiting this vulnerability is trivial.
Quick calculations on the CVSS 3.1 calculator indicate a juicy High (8.5/10) severity, yummy!
The text was updated successfully, but these errors were encountered: