9001/copyparty v1.9.10

badpwd

on GitHub

• read-only demo server at https://a.ocv.me/pub/demo/
• docker image ╱ similar software ╱ client testbed

no vulnerabilities since 2023-07-23

• there is a discord server with an @everyone in case of future important updates
• v1.8.7 (2023-07-23) - CVE-2023-38501 - reflected XSS
• v1.8.2 (2023-07-14) - CVE-2023-37474 - path traversal (first CVE)
  • all serverlogs reviewed so far (5 public servers) showed no signs of exploitation

new features

• argument --log-badpwd specifies how to log invalid login attempts;
  • 0 = just a warning with no further information
  • 1 = log incorrect password in plaintext (default)
  • 2 = log sha512 hash of the incorrect password
  • 1 and 2 are convenient for stuff like setting up autoban triggers for common passwords using fail2ban or similar

bugfixes

• none!
  • the formerly mentioned caching-directives bug turned out to be unreachable... oh well, better safe than sorry

⚠️ not the latest version!