Loading Profile...
Wua.la Webserver Interface Commands
Could you list all Wua.la webserver commands like http://127.0.0.1:57183/openfile?file=
(btw. i found a XSS Vulnerablity on Wua.la)
(btw. i found a XSS Vulnerablity on Wua.la)
1
person has this question
I have this question, too!
Tell me when someone answers.
The more people who ask this question, the more it gets noticed.
The more people who ask this question, the more it gets noticed.
Get Satisfaction loves Zappos because they care about customer service.
-
Inappropriate?Hi ringwrath-4, there is only openfile.
Thanks for reporting the XSS vulnerability!
1 person says
this answers the question
-
Inappropriate?Another Vulnerablity...
Proof of Concept:
A Suspicious website could crash the Wuala Program by inserting this code:
http://wua.la/testring/wuala+advisori...
#
Edit: The Crash happens because no more free handles are available. I think at 50 windows or so.
You could add a limitation of max 20 Windows can be open. -
Inappropriate?Hi
Thanks for pointing this out! I have limited the max. number of open windows to 5. This should be enough for all use cases. This change will go live with the next update of Wuala.
I’m happy
1 person says
this answers the question
-
Inappropriate?No problem :)
lets go on:
Wuala slows down and maybe crashes on long comments of URL's like
wua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/newwua.la/new...
Next:
Code Execution Vulnerablity, Medium/High Risk (Since you cant execute files with parameter.)
In a Comment:
<#a href="%comspec%">Click me, im a Link<#/a>
without #
The next thing, there are more executable files. Not only .exe
so, you should make sure, that all executable files and script files are secured with a question if you want to execute them.
A small list:
.exe,.com,.pif,.bat,.scr,.cmd,.vbs etc.
all these files and even more could be malware...1 Comment Add a comment
This answers the question
-
Also since you can define a icon manually the old "Image.jpg.exe/vbs/bat/whatever" trick should also work quite well in Wuala - especially since file extensions are hidden by default.
Just upload a folder of porn pics, replace one picture with an exe file and use the removed picture as Icon...
A big problem is that you can't check for malware on your side, it has to be done clientside - and if it's not easy or simple the ones who are in danger won't do that. -
Inappropriate?Thanks a lot for all your feedback! You make Wuala a safer place to live in ;-)
About long comments: I was not able to reproduce that.
@ringwrath-4: I shared a folder http://wua.la/madmat/Shared/testLongC... with your account 'testring'. Could you try to put some comment on this folder with the negative effect you mentioned? Thanks.
About the 'click me' comment: all html has been disabled in comments now and existing html tags are filtered out for presentation of the comments.
About executable files: very good point. I extended the list to about 30 most common extensions. For all these extensions a popup showing the full name including the extension will be shown before the file is opened.
@bugreport: this should fix the scenario described by you as well, right? (Of course if someone still clicks 'ok' we cannot do anything ;-)
We plan to put these changes live still this week.
Gimme some more vulnerabilities! ;-)
I’m safer than before ;-)
-
Inappropriate?Done, if you click on the comment buttons Wuala crashes instantly without any error Message.
I think its because of too many carriage return line feeds (enter).
But im not sure.
I should learn Java :-)
I’m happy
EMPLOYEE
EMPLOYEE
