New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2023-27075] Security issues for Stored XSS #142
Comments
I've discovered that a while ago too and contacted the maintainer about it on the 2023-02-16., but they didn't respond yet. If anyone is interested in a fork of microbin by... well, me (which fixes that and adds some other features that were requested here), here is the link to the repo: https://gitlab.com/obsidianical/microbin |
There are more severe things:
Disclaimer: I write a similar service … |
Microbins json database is a joke. I'm aware of that. It's kinda a high priority TODO for my fork at the moment. How do I reproduce the UTF-8 data thing? I'm gonna look into fixing that ASAP if I can diagnose it |
Paste invalid UTF-8 and you are good. |
I've tried crashing a local dev instance, and I haven't been able to, even after pasting a raw binary program, random bytes, and a stress tester file for invalid UTF-8. I don't think that'll cause many problems, since triggering this issue at all was quite impossible to me so far. If you can provide a sample of a string that does crash it, please do. |
It does not crash the entire server because actix installs a panic handler but it renders the upload and a few other endpoints useless. Try
From now on, every time you try to paste something either via the REST endpoint or the UI, it will fail with
Edit: also the List and Info endpoints do not work anymore. |
While there seems to be an error, pasting still seems to work on my fork. It seems that I fixed the problem preventing pasting (by accident) The fix seems to have been that I switched to an async aware mutex for another unrelated reason, which seems to unlock after a thread crashes. |
@szabodanika, apologies for tagging you. With this CVE in the wild for a month, should we consider this project unmaintained? Apologies for being blunt, I love the tool and just wanted to know the status :) |
Hello, I found an XSS issue in the project.
Although there is nothing about authentication cookies, an attacker can redirect to a malicious site or insert malicious code.
Payload:
Root cause:
microbin/src/pasta.rs
Line 147 in 84136f1
The text was updated successfully, but these errors were encountered: