Submitted by jaidedctrl in coinshred (edited )

As pointed out by /u/throwaway, there was an XSS hole and a flaw allowing uploading and execution of PHP files.

Now, "<" and ">" characters are blocked in file-names & get requests, and the endings to some file-types (which are often used for executables) are replaced with "inv"-- including "php", "cl", "lisp", and "pl".

I'll probably make the latter blocks configurable, since peoples' configurations of HTTP servers varies.

Big shout-out and thanks to /u/throwaway, who uses a throwaway account, probably! What a good fellow. :)

EDIT: No private data (including who uploaded what) was accessed when this security problem existed-- that data isn't stored in the first place. Worst-case scenario, the list and time-stamps of uploaded files were seen. I've just set up an automatic job to change the time-stamps of every file once an hour, so that even that information will be useless. =w=

9

Comments

You must log in or register to comment.