Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure xmlrpc server/client #809

Open
LexiconCode opened this issue May 2, 2020 · 0 comments
Open

Secure xmlrpc server/client #809

LexiconCode opened this issue May 2, 2020 · 0 comments
Labels
Enhancement Enhancement of an existing feature

Comments

@LexiconCode
Copy link
Member

Is your feature request related to a problem? Please describe.
A malicious website targeting Caster users through the browser could execute registered functions via xmlhttprequests on http://localhost:1338.

Describe the solution you'd like
To prevent this behavior the RPC server/client needs an authentication token that's randomly generated.

Additional context
The impact of this security issue is minimal an attacker could only emulating mouse commands(mouse Grids)/manipulate spec(record from history) blindly and not arbitrary code execution.

This is implemented the dragonfly and could be used for reference https://github.com/dictation-toolbox/dragonfly/pull/61/files#diff-6219d462fba21473f0a2404097943f75R29
@LexiconCode LexiconCode added the Enhancement Enhancement of an existing feature label May 2, 2020
@LexiconCode LexiconCode mentioned this issue May 2, 2020
Merged
17 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Enhancement Enhancement of an existing feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@LexiconCode