szTheory/exifcleaner v3.6.0
3.6.0

on GitHub

3 years ago

Security

Fix for XSS and Electron reverse shell vulnerabilities by sanitizing exiftool HTML output in the UI. To take advantage of this, an attacker would have had to write image metadata containing malicious script code to a file that you then download and run through ExifCleaner. Proofs of concept:

XSS:

exiftool -Comment='<img src=x onerror=alert("ok") /><b>OverJT</b>' -PixelUnits='meters' image.png

Electron reverse shell:

exiftool -Comment='<img src=x onerror=window.require("child_process").exec("/usr/bin/firefox") /><b>OverJT</b>' -PixelUnits='meters' image.png

Check out latest releases or
releases around szTheory/exifcleaner v3.6.0

Don't miss a new exifcleaner release

NewReleases is sending notifications on new releases.

Get notifications