github szTheory/exifcleaner v3.6.0
3.6.0

3 years ago

Security

  • Fix for XSS and Electron reverse shell vulnerabilities by sanitizing exiftool HTML output in the UI. To take advantage of this, an attacker would have had to write image metadata containing malicious script code to a file that you then download and run through ExifCleaner. Proofs of concept:

XSS:

exiftool -Comment='<img src=x onerror=alert("ok") /><b>OverJT</b>' -PixelUnits='meters' image.png

Electron reverse shell:

exiftool -Comment='<img src=x onerror=window.require("child_process").exec("/usr/bin/firefox") /><b>OverJT</b>' -PixelUnits='meters' image.png

Don't miss a new exifcleaner release

NewReleases is sending notifications on new releases.