[CVE-2023-27075] Security issues for Stored XSS about microbin HOT 9 CLOSED

I've discovered that a while ago too and contacted the maintainer about it on the 2023-02-16., but they didn't respond yet.

If anyone is interested in a fork of microbin by... well, me (which fixes that and adds some other features that were requested here), here is the link to the repo: https://gitlab.com/obsidianical/microbin

from microbin.

There are more severe things:

• The service is not handling invalid UTF-8 data well and panics. This keeps the lock on the "database" poisoned rendering the service inaccessible.
• The service keeps a lock while operating on its database, making async kind of pointless.
• The service serializes and writes the entire database file to disk each time a pasta is fetched. This will not scale well in the long run.

Disclaimer: I write a similar service …

from microbin.

Microbins json database is a joke. I'm aware of that. It's kinda a high priority TODO for my fork at the moment.

How do I reproduce the UTF-8 data thing? I'm gonna look into fixing that ASAP if I can diagnose it

from microbin.

How do I reproduce the UTF-8 data thing?

Paste invalid UTF-8 and you are good.

from microbin.

I've tried crashing a local dev instance, and I haven't been able to, even after pasting a raw binary program, random bytes, and a stress tester file for invalid UTF-8. I don't think that'll cause many problems, since triggering this issue at all was quite impossible to me so far. If you can provide a sample of a string that does crash it, please do.

from microbin.

It does not crash the entire server because actix installs a panic handler but it renders the upload and a few other endpoints useless. Try

wget https://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt
curl -F "expiration=10min" -F [email protected] -X POST http://0.0.0.0:8080/upload

From now on, every time you try to paste something either via the REST endpoint or the UI, it will fail with

thread 'actix-rt|system:0|arbiter:0' panicked at 'called `Result::unwrap()` on an `Err` value: PoisonError { .. }', src/endpoints/create.rs:40:41

Edit: also the List and Info endpoints do not work anymore.

from microbin.

While there seems to be an error, pasting still seems to work on my fork. It seems that I fixed the problem preventing pasting (by accident)

The fix seems to have been that I switched to an async aware mutex for another unrelated reason, which seems to unlock after a thread crashes.

from microbin.

@szabodanika, apologies for tagging you. With this CVE in the wild for a month, should we consider this project unmaintained? Apologies for being blunt, I love the tool and just wanted to know the status :)

from microbin.

Thanks a lot @7a6163 for #143! I apologise, I had to put aside personal projects as I was very busy with work and studies. I am back on working on v1.3.0 release now, cleaning up backlog in priority order. I am an active user of this software, therefore it will never be abandoned.

from microbin.