For transparency reason (and with the authorization of the NCrypt maintainer), the email I sent to NCrypt the 02/03/2017 is reproduced below:
I just found an XSS vulnerability in NCrypt.
How to reproduce
- A malicious user create a paste with the content:
<script>alert('XSS')</script>
- (S)he sends the link to the targeted user
- The targeted user clones the paste
- The JS payload is executed
As far as I tested it, the choice of programming language don't change the result.
Note: the payload can be "hidden" in a lot of text or code in order to "trick" users.
As far as I know, the impact is quite limited because you don't store the previous posted links in the browser, but it can be used to de-anonymize users for example.
I found this vulnerability because I'm currently and voluntarily searching for XSS vulnerabilities in a lot of FLOSS.
I remain available for any additional comments or questions.
Best,
Martin
For transparency reason (and with the authorization of the NCrypt maintainer), the email I sent to NCrypt the 02/03/2017 is reproduced below:
I just found an XSS vulnerability in NCrypt.
How to reproduce
<script>alert('XSS')</script>As far as I tested it, the choice of programming language don't change the result.
Note: the payload can be "hidden" in a lot of text or code in order to "trick" users.
As far as I know, the impact is quite limited because you don't store the previous posted links in the browser, but it can be used to de-anonymize users for example.
I found this vulnerability because I'm currently and voluntarily searching for XSS vulnerabilities in a lot of FLOSS.
I remain available for any additional comments or questions.
Best,
Martin