- read-only demo server at https://a.ocv.me/pub/demo/
- docker image ╱ similar software ╱ client testbed
IMPORTANT - recent security / vulnerability fixes
- v1.8.6 (this release) - GHSA-cw7j-v52w-fp5r - reflected XSS
- v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal
- all serverlogs reviewed so far (5 public servers) showed no signs of exploitation
bugfixes
- reflected XSS through
/?hc(the optional subfolder parameter to the connect page)- if someone tricked you into clicking
http://127.0.0.1:3923/?hc=<script>alert(1)</script>they could potentially have moved/deleted existing files on the server, or uploaded new files, using your account - if you use a reverse proxy, you can check if you have been exploited like so:
- nginx: grep your logs for URLs containing
?hc=with<somewhere in its value, for example using the following command:(gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -E '[?&](hc|pw)=.*[<>]'
- nginx: grep your logs for URLs containing
- if you find any traces of exploitation (or just want to be on the safe side) it's recommended to change the passwords of your copyparty accounts
- thanks again to @TheHackyDog !
- if someone tricked you into clicking