Skip to content

v2.1.4

Latest

Choose a tag to compare

@github-actions github-actions released this 03 Jul 07:32

What Changed in v2.1.4

🔒 Security

  • WebDAV --no-delete bypass via MOVE/COPY (GHSA-hq33-8jgp-8qq3) — Under -w --no-delete (and --upload-only), the WebDAV MOVE verb still removed the source file — a rename deletes it from its original path — and, with Overwrite: T, destroyed an existing destination; COPY onto an existing file did the same via an implicit delete. The mode flags are now
    enforced on these verbs: MOVE is rejected whenever deletion is disabled, and a COPY that would overwrite an existing file is blocked, while a plain COPY to a new path stays allowed. --read-only continues to block all of them.
  • SFTP authentication bypass with a single credential (GHSA-rjrw-mjq6-hpmm) — SFTP only installed its password handler when both a username and a password were configured, so setting only one left the server accepting unauthenticated logins. Authentication is now enforced whenever either credential is set.

✨ New Features

  • Clipboard copy in the TUI generator — The --tui reverse-shell generator can now copy the selected payload straight to your - clipboard with y/c. It works both locally (xclip/xsel, wl-copy, pbcopy, clip) and over SSH via OSC 52, filling both the system clipboard and the X11 primary selection (Ctrl+V and middle-click / Shift+Insert). The generator tab was also restructured into a stacked layout so multi-line output can be cleanly mouse-selected without also grabbing the menu entries.

🐛 Bug Fixes

  • Fatal port-bind errors under --tui — Every listening protocol is now bound before the TUI dashboard takes over the terminal, so a port conflict (or any bind error) is reported cleanly and is fatal up front — instead of being swallowed by a serving goroutine, which under --tui left the terminal in raw mode needing a reset (and was silently dropped entirely for FTP).

⬆️ Dependencies

  • Bumped golang.org/x/net 0.53.0 → 0.55.0.
  • Bumped GitHub Actions: github/codeql-action (init/autobuild/analyze) 4.36.2 → 4.36.3, and goreleaser/goreleaser-action 7.2.2 → 7.2.3.