- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
Starting with the bad and important news; this release fixes GHSA-pxfv-7rr3-2qjg / CVE-2023-37474 -- so please upgrade!
Every version until now had a path traversal vulnerability which allowed read-access to any file on the server's filesystem.
The logs from 5 public servers have been reviewed so far, with no signs of exploitation.
To summarize,
- Every file that the copyparty process had the OS-level permissions to read, could be retrieved over HTTP without password authentication
- However, an attacker would need to know the full (or copyparty-module-relative) path to the file; it was luckily impossible to list directory contents to discover files on the server
- You may have been running copyparty with some mitigations against this:
- prisonparty limited the scope of access to files which were intentionally given to copyparty for sharing; meaning all volumes, as well as the following read-only filesystem locations:
/bin
,/lib
,/lib32
,/lib64
,/sbin
,/usr
,/etc/alternatives
- the nix package has a similar mitigation implemented using systemd concepts
- docker containers would only expose the files which were intentionally mounted into the container, so even better
- prisonparty limited the scope of access to files which were intentionally given to copyparty for sharing; meaning all volumes, as well as the following read-only filesystem locations:
- More conventional setups, such as just running the sfx (python or exe editions), would unfortunately expose all files readable by the current user
- The following configurations would have made the impact much worse:
- running copyparty as root
So, three years, and finally a CVE -- which has been there since day one... Not great huh. There is a list of all the copyparty alternatives that I know of in the similar software
link above.
Thanks for flying copyparty! And especially if you decide to continue doing so :-)
new features
- #43 volflags to specify thumbnailer behavior per-volume;
--th-no-crop
/ volflagnocrop
to specify whether autocrop should be disabled--th-size
/ volflagthsize
to set a custom thumbnail resolution--th-convt
/ volflagconvt
to specify conversion timeout
- #45 resulted in a handful of opportunities to tighten security in intentionally-dangerous setups (public folders with anonymous uploads enabled):
- a new permission,
a
(in addition to the existingrwmdgG
), to show the uploader-IP and upload-time for each file in the file listing- accidentally incompatible with the
d2t
volflag (will be fixed in the next ver)
- accidentally incompatible with the
- volflag
nohtml
is a good defense against (un)intentional XSS; it returns HTML-files and markdown-files as plaintext instead of rendering them, meaning any malicious<script>
won't run -- bad idea for regular use since it breaks fundamental functionality, but good when you really need it- the README-previews below the file-listing still renders as usual, as this is fine thanks to the sandbox
- a new eventhook
--xban
to run a plugin when copyparty decides to ban someone (for password bruteforcing or excessive 404's), for example to blackhole the IP using fail2ban or similar
- a new permission,
bugfixes
- fixes a path traversal vulnerability, GHSA-pxfv-7rr3-2qjg / CVE-2023-37474
- HUGE thanks to @TheHackyDog for reporting this !!
- if you use a reverse proxy, you can check if you have been exploited like so:
- nginx: grep your logs for URLs containing both
.cpr/
and%2[^0]
, for example using the following command:(gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -E 'cpr/.*%2[^0]' | grep -vF data:image/svg
- nginx: grep your logs for URLs containing both
- 77f1e51 fixes an extremely unlikely race-condition (see the commit for details)
- 8f59afb fixes another race-condition which is a bit worse:
- the unpost feature could collide with other database activity, with the worst-case outcome being aborted batch operations, for example a directory move or a batch-rename which stops halfways