Closed
Description
The shellinabox server, while using the HTTPS protocol, allows HTTP fallback through the "/plain" URL.
This exposes the opportunity for a potential DNS rebinding attack, by malicious JavaScript loaded in the context of the user browser, that would allow connection to shellinabox in the time window between server startup and user reconfiguration of default credentials (scenario is vanilla installation of, as an example, an embedded system).
The "/plain" fallback should be disabled by default to improve security and mitigate such an attack.
Credit goes to Stephen Röttger from the Google Security Team for identifying the issue.