Skip to content

ZeroNet version 0.7.1

Latest
Compare
Choose a tag to compare
@HelloZeroNet HelloZeroNet released this 06 Sep 01:10
· 583 commits to py3 since this release
38e20b7
  • Pull down top-right 0 button to show console
  • New UiPluginManager plugin: Manage and install third-party plugins.
  • Full support of OpenSSL 1.1 (Thanks to radfish & imachug)
  • Fix a bug that did not load merged site data for 5 sec after the site got added
  • Add fake SNI and ALPN to peer connections to make it more like standard https connections

Important security update:

Wrapper template HTML injection vulnerability [Reported by ivanq]

In ZeroNet before rev4188 the wrapper template variables was rendered incorrectly.

Result: The opened site was able to gain WebSocket connection with unrestricted ADMIN/NOSANDBOX access, change configuration values and possible RCE on the client's machine.

Fix: Fixed the template rendering code, disallowed WebSocket connections from unknown locations,
restricted open_browser configuration values to avoid possible RCE in case of sandbox escape.