github 9001/copyparty v1.8.7
XSS for days

latest releases: v1.13.3, v1.13.2, v1.13.1...
10 months ago

at the lack of better ideas, there is now a discord server with an @everyone for all future important updates such as this one

IMPORTANT - recent security / vulnerability fixes

bugfixes

  • reflected XSS through /?k304 and /?setck
    • if someone tricked you into clicking a URL containing a chain of %0d and %0a they could potentially have moved/deleted existing files on the server, or uploaded new files, using your account
    • if you use a reverse proxy, you can check if you have been exploited like so (also checks for GHSA-cw7j-v52w-fp5r):
      • nginx: grep your logs for URLs containing %0d%0a%0d%0a, for example using the following command:
        (gzip -dc access.log*.gz; cat access.log) | sed -r 's/" [0-9]+ .*//' | grep -iE '%0[da]%0[da]%0[da]%0[da]|[?&](hc|pw)=.*[<>]'
    • if you find any traces of exploitation (or just want to be on the safe side) it's recommended to change the passwords of your copyparty accounts
    • huge thanks again to @TheHackyDog !
  • the original fix for CVE-2023-37474 broke the download links for u2c.py and partyfuse.py
  • fix mediaplayer spinlock if the server only has a single audio file

⚠️ not the latest version!

Don't miss a new copyparty release

NewReleases is sending notifications on new releases.