CVE-2023-41471
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in copyparty versions before 1.9.2 that allows a local attacker with write access to execute arbitrary JavaScript via the WEEKEND-PLANS function. The vulnerability is disputed because attackers with write access could already upload malicious HTML files directly. Affected users are those running vulnerable copyparty instances with local users who have write permissions.
💻 Affected Systems
- copyparty
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with write access could execute arbitrary JavaScript in the context of other users' browsers, potentially stealing session cookies, performing actions as authenticated users, or delivering malware.
Likely Case
Limited impact since attackers need existing write access, making this primarily a privilege escalation vector for already-compromised accounts rather than an initial access vulnerability.
If Mitigated
Minimal impact if proper access controls limit write permissions to trusted users only and if users have appropriate browser security settings.
🎯 Exploit Status
Exploitation requires write access to the server. Public proof-of-concept exists in the GitHub references. The vulnerability is simple to exploit once write access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v1.9.2
Vendor Advisory: https://github.com/9001/copyparty/releases/tag/v1.9.2
Restart Required: Yes
Instructions:
1. Backup your current copyparty configuration and data. 2. Download and install copyparty v1.9.2 or later from GitHub releases. 3. Replace the existing copyparty files with the new version. 4. Restart the copyparty service.
🔧 Temporary Workarounds
Restrict Write Access
allLimit write permissions to only trusted, necessary users to prevent exploitation of this vulnerability.
# Review and modify file permissions for copyparty directories
# Example: chmod -R 755 /path/to/copyparty/data
# Example: chown -R trusteduser:trustedgroup /path/to/copyparty/data
Disable WEEKEND-PLANS Function
allRemove or disable the vulnerable WEEKEND-PLANS function if not needed.
# Modify copyparty configuration to disable WEEKEND-PLANS
# Check copyparty documentation for specific configuration options
🧯 If You Can't Patch
- Implement strict access controls to limit write permissions to only absolutely necessary users.
- Deploy web application firewall (WAF) rules to detect and block XSS payloads targeting the WEEKEND-PLANS endpoint.
🔍 How to Verify
Check if Vulnerable:
Check if copyparty version is earlier than 1.9.2 and if the WEEKEND-PLANS function is accessible to users with write permissions.Check Version:
python3 -c "import copyparty; print(copyparty.__version__)" or check the copyparty startup logsVerify Fix Applied:
Verify copyparty version is 1.9.2 or later and test that XSS payloads in WEEKEND-PLANS function are properly sanitized or blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual activity in WEEKEND-PLANS function logs
- JavaScript payloads in user-submitted content to WEEKEND-PLANS endpoint
- Multiple failed attempts to access write-protected functions
Network Indicators:
- HTTP requests containing script tags or JavaScript payloads targeting WEEKEND-PLANS endpoint
- Unusual traffic patterns from internal users to copyparty instance
SIEM Query:
source="copyparty.log" AND ("WEEKEND-PLANS" OR "script" OR "javascript" OR "onload=" OR "onerror=")