Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Low seeded zites can be manipulated, they can be rendered unusable security issue #2844

Open
mx5kevin opened this issue Mar 2, 2024 · 0 comments

Comments

@mx5kevin
Copy link

mx5kevin commented Mar 2, 2024

  • ZeroNet version: ZeroNetX 0.9.0 (Rev 4630), 4.8.5 (Rev 4625), Conservacy 0.7.10+ (Rev 8192), Zeronet 0.7.2 (Rev 4555) and all older versions, forks.

  • Operating system: All

  • Web browser: _____

  • Tor status: not available/always/disabled

  • Opened port: yes/no

  • Special configuration: ____

The attack are working on zites what are low seeded and the original owner are not non-stop seeded the zite. The attacker using outdated version of the current zite, or deleting some files. If users who have the original page connect, the user who downloaded the page from the attacker cannot update it. If the page refresh him self get in updated status, with missing file or outdated content. There are two points of vulnerability in the system. In the file update system, and in the content.json, time coding system.

If some files are missing, the automatic refres page does not working, in some forks check files if have a user who have the files may work. In the „outdated attack” the site owner need later time sign and publish the content. This phenomenon occurs if new content is published several times within a short period of time that day.

After X failed time the download system give up updating the content. The attack can make useless low seeded zites.

The result: Missing files in the zites, or loaded a outdated version of the zite. Both case can not updated later the zites from another users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant