Closed pbogre closed 1 year ago
pldubouilh
commented
1 year ago Hey - thanks for the report - I'm afk at the moment, but can have a look in a couple hours.
if you want to drop me an email using GPG, here's my email + pkey: http://pgp.mit.edu/pks/lookup?op=get&search=0x93CE7A6E41D7E403
pbogre
commented
1 year ago i have sent an email to the address detailing the problem
pbogre
commented
1 year ago closed as resolved in private, it was a misunderstanding on my part and there is no security flaw
It is possible do disable readonly mode with a simple command, I was going to use gossa as a file hosting to expose to the public, but I think I'll have to wait on that until this is fixed.
All I did was have a very brief look at the code, and there was a file that immediately posed a glaring issue and when i went and checked if it really worked I was kind of suprised lol.
I'm not going to include the line here for the poor souls that have exposed a readonly instance of gossa to the internet, but I have to say it is really not hard to find. There was no security policy on this repository so let me know how I should contact you.
I tested this with a readonly instance of gossa running in docker, and sure enough I was able to remove readonly mode and add/delete/rename files and folders. It is also possible to set a read and write instance to readonly.
Edit: i looked into this some more and in fact readonly mode is pretty much negligible for anyone who is tech-savvy enough to know how to open the console in their browser