![]() ![]() OnionShare is an open source tool that lets you securely and anonymously share files, host websites, and chat with friends using the Tor network. In affected versions chat participants can spoof their channel leave message, tricking others into assuming they left the chatroom. This leads to a rendered HTML4 Subset (QT RichText editor) in the Onionshare frontend. This path is used in all components for displaying the server access history. In affected versions The path parameter of the requested URL is not sanitized before being passed to the QT frontend. There is no way to block this attack in public mode due to the anonymity properties of the tor network. An adversary with access to the receive mode can block file upload for others. In affected versions the receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. ![]() This issue has been patched in version 2.5. This requires the desktop application with rendered history, therefore the impact is only elevated. An adversary with knowledge of the Onion service address in public mode or with authentication in private mode can perform a Denial of Service attack, which quickly results in out-of-memory for the server. To be abused, this vulnerability requires rendering in the history tab, so some user interaction is required. Roughly 20 bytes lead to 2GB memory consumption and this can be triggered multiple times. Affected versions of the desktop application were found to be vulnerable to denial of service via an undisclosed vulnerability in the QT image parsing. OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to upload files on a non-public node when using the -receive functionality. Using onionshare to download full#An information disclosure vulnerability in OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to retrieve the full list of participants of a non-public OnionShare node via the -chat feature. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |