canove / whaticket-community

A very simple Ticket System based on WhatsApp messages, that allow multi-users in same WhatsApp account.
MIT License
1.67k stars 852 forks source link

Processing documents instead forcing its download #559

Open mauroalx opened 1 year ago

mauroalx commented 1 year ago

The current behavior of Whaticket when hosting .html files is process it instead forcing the download.

This may include security issues, mainly when the operator open the sent file.

Take a look on the screenshot below

image

What can be done?

Your server can be used as a phishing page and for real, the user just opening the file is enough for the attacker get the URI (sending it using HTTP request)

image

I think the best way is force the download of .html

I'm not in cybersecurity so I may have been wrong in parts.

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

JoseMariani commented 1 year ago

Yo puedo trabajar en mejorar eso.. si te interesa contáctame.