Bin Private
⚡ ALL INFORMATION CLICK HERE 👈🏻👈🏻👈🏻
Bin Private
elrido
Merge pull request #742 from PrivateBin/codeql
Release v1.3.4 - Fixing HTML entities, custom expiration, pasting into password field
Latest
© 2021 GitHub, Inc.
Terms
Privacy
Security
Status
Docs
Contact GitHub
Pricing
API
Training
Blog
About
PrivateBin is a minimalist, open source online pastebin
where the server has zero knowledge of pasted data.
Data is encrypted and decrypted in the browser using 256bit AES in Galois Counter mode .
This is a fork of ZeroBin, originally developed by
Sébastien Sauvage . ZeroBin was refactored
to allow easier and cleaner extensions. PrivateBin has many more features than the
original ZeroBin. It is, however, still fully compatible to the original ZeroBin 0.19
data storage scheme. Therefore, such installations can be upgraded to PrivateBin
without losing any data.
As a server administrator you don't have to worry if your users post content
that is considered illegal in your country. You have no knowledge of any
of the pastes content. If requested or enforced, you can delete any paste from
your system.
Pastebin-like system to store text documents, code samples, etc.
Possibility to set a password which is required to read the paste. It further
protects a paste and prevents people stumbling upon your paste's link
from being able to read it without the password.
As a user you have to trust the server administrator not to inject any malicious
javascript code.
For basic security, the PrivateBin installation has to provide HTTPS !
Otherwise you would also have to trust your internet provider, and any country
the traffic passes through.
Additionally the instance should be secured by
HSTS and
ideally by HPKP using a
certificate. It can use traditional certificate authorities and/or use
DNSSEC
protected
DANE
record.
The "key" used to encrypt the paste is part of the URL. If you publicly post
the URL of a paste that is not password-protected, anyone can read it.
Use a password if you want your paste to be private. In this case, make sure to
use a strong password and only share it privately and end-to-end-encrypted.
A server admin might be forced to hand over access logs to the authorities.
PrivateBin encrypts your text and the discussion contents, but who accessed a
paste (first) might still be disclosed via access logs.
In case of a server breach your data is secure as it is only stored encrypted
on the server. However, the server could be misused or the server admin could
be legally forced into sending malicious JavaScript to all web users, which
grabs the decryption key and sends it to the server when a user accesses a
PrivateBin.
Therefore, do not access any PrivateBin instance if you think it has been
compromised. As long as no user accesses this instance with a previously
generated URL, the content can't be decrypted.
Some features are optional and can be enabled or disabled in the configuration
file :
Discussions, anonymous or with nicknames and IP based identicons or vizhashes
Expiration times, including a "forever" and "burn after reading" option
Markdown format support for HTML formatted pastes, including preview function
Syntax highlighting for source code using prettify.js, including 4 prettify
themes
File upload support, images get displayed (disabled by default, possibility
to adjust size limit)
Templates: By default there are bootstrap CSS, darkstrap and "classic ZeroBin"
to choose from and it is easy to adapt these to your own websites layout or
create your own.
Translation system and automatic browser language detection (if enabled in
browser)
Language selection (disabled by default, as it uses a session cookie)
QR code generation of URL, to easily transfer pastes over to a mobile device
Run into any issues? Have ideas for further developments? Please
report them!
A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES.
General information on the PrivateBin project.
GitHub - PrivateBin/PrivateBin: A minimalist, open source online...
Releases · PrivateBin/PrivateBin · GitHub
privatebin/privatebin - Packagist
HOW TO MAKE PRIVATE BINS 2020 (BE A CRACKER) - YouTube
ALTER TABLE prefix_paste MODIFY COLUMN data MEDIUMBLOB;
UPDATE prefix_config SET value = " 1.3.1 " WHERE id = " VERSION " ;
© 2021 GitHub, Inc.
Terms
Privacy
Security
Status
Docs
Contact GitHub
Pricing
API
Training
Blog
About
elrido
released this
Mar 22, 2020
·
251 commits
to master
since this release
This bug fix releases resolves further HTML entity encoding issues, the use of custom expiration options in the email function, pasting into the password dialog on pastes with attachments and also updates the identicon library to 2.0.0, which increases the minimum required PHP version to 5.6.
We recommend to upgrade 1.3.x instances to address these issues.
As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions .
We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.
More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3.4 release announcements .
elrido
released this
Feb 16, 2020
·
274 commits
to master
since this release
This release fixes HTML entity double encoding issues introduced in version 1.3.2 of PrivateBin.
In the efforts to prevent the unencoded strings to cause XSS issues down the line in releases 1.3.2 and 1.2.2, we had some strings getting their HTML entities encoded twice. This caused some display glitches as well as preventing the URLs in paste texts to get converted to links.
This bug fix releases resolves these encoding issues, expands the XSS protection to the server side templating, updates some missing translation strings for the mailing feature (in 1.3.3 only) and also updates the DOMpurify library to 2.0.8.
We recommend to upgrade 1.3, 1.3.1, 1.3.2, 1.2, 1.2.1 and 1.2.2 instances to address these issues.
We do offer a backport of these fixes for the 1.2.x versions of PrivateBin. You may choose to use version 1.2.3 over 1.3.3, if you do need to support legacy browsers with incomplete or missing Webcrypto API, like IE, non-Chromium based Edge or some ESR releases.
As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions .
We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.
More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3.3 & 1.2.3 release announcements .
elrido
released this
Feb 16, 2020
·
705 commits
to master
since this release
This release fixes HTML entity double encoding issues introduced in version 1.2.2 of PrivateBin.
In the efforts to prevent the unencoded strings to cause XSS issues down the line in releases 1.3.2 and 1.2.2, we had some strings getting their HTML entities encoded twice. This caused some display glitches as well as preventing the URLs in paste texts to get converted to links.
This bug fix releases resolves these encoding issues, expands the XSS protection to the server side templating and updates the DOMpurify library to 2.0.8.
We recommend to upgrade 1.2, 1.2.1 and 1.2.2 instances to address these issues.
We do offer a backport of these fixes for the 1.2.x versions of PrivateBin. You may choose to use version 1.2.3 over 1.3.3, if you do need to support legacy browsers with incomplete or missing Webcrypto API, like IE, non-Chromium based Edge or some ESR releases.
As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions .
We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.
More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3.3 & 1.2.3 release announcements .
elrido
released this
Jan 11, 2020
·
334 commits
to master
since this release
This release fixes a persistent XSS vulnerability in filenames of attached files in PrivateBin.
On 25th of December 2019, an issue was discovered and fixed, which allowed the user provided attachment file name to inject HTML under certain conditions, leading to a persistent Cross-site scripting (XSS) vulnerability. This release includes an improved solution, which addresses the issue on a broader scope, avoiding this to reoccur in other areas of the code in the future.
Further details on this is an issue and its implications can be found in our report on the vulnerability . It also describes methods to check if your browser is currently affected by the issue. If it is, please consider updating your browser.
We recommend to upgrade 1.3, 1.3.1, 1.2 and 1.2.1 instances to address this issue, even if the instance doesn't have fileuploads enabled and uses the recommended CSP header to mitigate XSS attacks.
Due to the seriousness of the issue, we do offer a backport of the fix for the 1.2.1 version of PrivateBin, that also includes updated JavaScript libraries. You may choose to use that version over 1.3.2, if you do need to support legacy browsers with incomplete or missing Webcrypto API, like IE, non-Chromium based Edge or some ESR releases.
As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions .
We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.
More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3.2 & 1.2.2 release announcements .
elrido
released this
Jan 11, 2020
·
705 commits
to master
since this release
This release fixes a persistent XSS vulnerability in filenames of attached files in PrivateBin.
On 25th of December 2019, an issue was discovered and fixed, which allowed the user provided attachment file name to inject HTML under certain conditions, leading to a persistent Cross-site scripting (XSS) vulnerability. This release includes an improved solution, which addresses the issue on a broader scope, avoiding this to reoccur in other areas of the code in the future.
Further details on this is an issue and its implications can be found in our report on the vulnerability . It also describes methods to check if your browser is currently affected by the issue. If it is, please consider updating your browser.
We recommend to upgrade 1.3, 1.3.1, 1.2 and 1.2.1 instances to address this issue, even if the instance doesn't have fileuploads enabled and uses the recommended CSP header to mitigate XSS attacks.
Due to the seriousness of the issue, we do offer a backport of the fix for the 1.2.1 version of PrivateBin, that also includes updated JavaScript libraries. You may choose to use that version over 1.3.2, if you do need to support legacy browsers with incomplete or missing Webcrypto API, like IE, non-Chromium based Edge or some ESR releases.
As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions .
We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.
More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3.2 & 1.2.2 release announcements .
elrido
released this
Sep 22, 2019
·
384 commits
to master
since this release
This release improves the display of appropriate errors for unsupported browsers/configurations.
Since the release of version 1.3 only two months ago we received reports on a surprising number of corner cases with certain browser versions and protocols in which the new release didn't work, while 1.2.1 still did. The release addresses most of these or at least aims to provide a meaningful error message with hints what the user may do to avoid these (switching to HTTPS, using a different browser or being limited to partial functionality).
We also have been provided with a Bulgarian translation and several improvements to the bootstrap template, cloning pastes and the drap & drop file upload. The URL shortener now also supports JSON APIs and the default size limit was increased to 10 MiB.
Before the 1.3 release we had tested mainly in Firefox and Chrome, but none of the core developers had easy access to Windows based browsers (Edge, IE) or Mac (Safari). We also missed that Chrome disables the webcrypto API used in 1.3 to replace the SJCL cryptographic library, when accessing the site via HTTP. It didn't do this in our local testing environments, as localhost is considered safe by it, even when not accessed via HTTPS. Other quirks discovered were issues when accessing PrivateBin via Tor and i2p networks. The Torbrowser disables webassembly due to security concerns, which prevented these clients to create or read pastes.
To facilitate testing of such quirks and having access to more browsers versions, we applied for a sponsored browserstack account. This helped us improving the browser feature detection. In particular the following cases got covered:
We recommend to upgrade 1.3 instances to improve the support for Chrome and older browsers get more appropriate error messages.
As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions .
We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.
The default size limit got increased from 2 to 10 MiB. If you didn't configure a custom size, you may have to adjust your PHP and webserver settings to be able to use the new limit to the full extent.
If you use the MySQL database backend and don't allow the PrivateBin use to ALTER TABLES, you have to manually change one columns type and UPDATE the database version (replace "prefix_" with your own table prefix, if used):
PostgreSQL and SQLite don't require this change.
More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3.1 release announcements .
elrido
released this
Jul 9, 2019
·
475 commits
to master
since this release
This release switches the used encryption and compression libraries and addresses several problems with mangled URLs and pastes.
We fixed several issues in this release. We now tell Chrome not to send the whole page, including the decrypted text, to it's translation services. Thanks to the use of blob instead of data URI's, Chrome can now deal with attachments larger then 2 MiB. The raw text mode escapes HTML correctly again (a regression introduced in 1.2). PrivateBin can now handle URLs mangled by Facebook.
Translations for Czech has been added since the last release.
We threat modeled the application in preparation for the changes in the API, JSON format and encryption.
The main change of this release was the switch from the SJCL and rawdeflate JavaScript libraries to the browser integrated WebCrypto API and zlib C library (via WebAssembly) as well as various modernizations of our use of JavaScript. We still fully support reading older pastes and comments, but newly generated pastes use a different, more efficient and flexible format. Some of these changes lead to us dropping the support for Internet Explorer and we suggest to use Edge instead, if no other modern browser is available (see Appendix A in the release announcements ).
The change to WebCrypto API means that the cryptographic functions are now handled by the browser integrated libraries instead of code that has to be transferred from the webserver to the client. While this can't prevent a malicious party to inject logic to extract the key or decrypted contents, it does increase the trust users can have in the cryptographic functionality of PrivateBin as well as speed up both initial page load as well as the en/decryption itself.
Over the years we encountered several cases where the deflate implementation used in the rawdeflate JavaScript library produced results that couldn't be decompressed by itself or other deflate implementation. While the latter mainly affected third-party CLI clients , the first lead to pastes that couldn't be read even by PrivateBin itself. We had initially planned to use the pako JavaScript library, but during implementation of the new format found that the zlib C library used in most other languages for deflate support can be used in JavaScript as well, via compilation into WebAssembly. This is a very stable library with no currently known bugs and even performs better then pako.
Server operators now have an additional configuration option that lets them disable compression . While the compression before encryption reduces the size of most text, source code, markdown pastes and text comments drastically, when having file upload enabled and mostly using an instance to share already compressed files (office documents, PNG or JPG images, etc.) this slows down the creation of the pastes unnecessarily and without gain. Furthermore some security minded administrators may wish to disable compression to avoid potential security risks that would make brute forcing keys easier for shorter, compressed pastes.
As usual we have also upgraded all used libraries to their latest releases. The identicon library now requires PHP 5.5, so this is the new minimum required PHP version.
Finally the newly used JSON format and API was taken as an opportunity to implement some, otherwise breaking, changes like the use of base58 for the hash key encoding instead of base64, which addresses the Outlook mail client stripping trailing equal signs from URLs. The number of iterations in the PBKDF2 key derivation got increased from 10k to 100k to make it more costly to brute force the password of a paste. The server now uses Fowler–Noll–Vo checksums instead of md5 to generate unique paste IDs.
Due to some rather annoying bugs in the raw paste view and with URLs mangled by Facebook and Outlook, we do recommend an upgrade on instances that are more widely used. While most users never encountered cases where the pastes got mangled in the deflate compression, users that frequently upload office documents and certain source code and compiler outputs would trigger this rather reliably. There are also several improvements that increase the security of the encryption.
Two new configuration options , compression and httpwarning got introduced.
As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions .
We offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root. Note that the latest docker containers use different user IDs then the older ones, so you will have to change the ownership of the attached data volume.
If you do have to use the new release on a PHP 5.4 environment, you can attempt to change the icon option to vizhash or none and decrease the MIN_PHP_VERSION in the lib/Controller.php file.
More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3 release announcements .
elrido
released this
Aug 11, 2018
·
705 commits
to master
since this release
This release fixes a low entropy key vulnerability in PrivateBin affecting legacy browsers
On 31st of July 2018, @cryptolok reported a cryptographic vulnerability in PrivateBin due to the incorrect use of SJCL when used on very old browsers. When creating a paste using any ZeroBin version or PrivateBin up to and including 1.1.1 on a browser without web crypto API support (Firefox<21, Chrome<15, Safari<5, IE<11) the key may have been generated without sufficient entropy. PrivateBin 1.2 was not affected, because the support for those browser versions got removed in the JS refactoring.
This release re-adds support for those legacy browsers and ensures they generate the key with sufficient entropy. In the next release of PrivateBin we will permanently drop legacy browser support and switch to the web crypto API exclusively. This release ensures that there is at least one release available that supports both legacy browsers and has the entropy issue fixed.
Further details on this is an issue and its implications can be found in our report on the vulnerability . It also describes methods to check if your browser is currently affected by the issue. If it is, please consider updating your browser.
If you are still using PrivateBin version 1.1.1 or ZeroBin, upgrading to this release will ensure that you retain legacy browser support and fix the low entropy key vulnerability in your current version. If you already upgraded to PrivateBin 1.2 and don't need to support these very old browser versions (released before October 2013) then you could consider skipping this release.
As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions .
We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.
Note that this is the first release that is signed with the new signing key (fingerprint: 28CA 7C96 4938 EA5C 1481 D42A E11B 7950 E9E1 83DB ). This key is intended to be used for signing releases from now on.
elrido
released this
Jul 22, 2018
·
723 commits
to master
since this release
This release adds QR code generation, inline display of video, audio, PDF and new translations to PrivateBin and a large refactoring of the JavaScript code.
A new button lets you generate a QR code of your newly created pastes URL. This allows for easy transfer of a pasted data from one mobile device to another.
When the optional file upload is enabled, uploaded videos, audio files and PDFs are displayed inline, like we did with images, as long as the visitors browser supports it. By default the file and paste upload is limited to a 2 MiB size.
Translations for Spanish, Occitan, Norwegian, Portuguese, Dutch and Hungarian have also been added since the last release.
The main change of this release, and the reason it took us so long since doing the last one, was the large refactoring and cleanup of the JavaScript logic of PrivateBin. The refactoring itself was done in early 2017. In parallel we introced mocha and JSverify running on nodeJS as a property based unit testing framework for the logic (à la QuickCheck ). Many months were spent to cover more and more pieces of the logic.
In the end we covered all of the modular parts of the logic (879 of 1273 lines of code for a 69% code coverage ), including the encryption wrapper functions for backward compatibility with older paste formats. The UI related parts of the code proved difficult to test, partly because in nodeJS the browsers document object model (DOM) is emulated using the JSdom library, the lack of an actual view port being present (so no scrolling, for example) and also due the event driven nature which contradicts the modular approach of unit testing. For many UI interfaces, large parts of the DOM has to be present, since emitting a single click event may trigger changes in many different parts of the UI. This is a shortcoming of the current structure of the UI logic, which we may need to improve further.
Still, the unit testing found many regressions and some issues that have been in the code for a long time without having been reported. It lays the necessary ground work for the future changes, especially the major changes planned for the encryption format.
Apart from the new QR code feature many new translations were added. All used libraries were upgraded, too. While no security issues were reported for any of these, they address some bugs that didn't affect us directly or improve compatibility with the latests browsers and PHP releases.
A new configuration option name was introduced for those admins that like to replace the "PrivateBin" moniker in the template with their own site name.
As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions .
We now also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root. We also started providing additional tools in Docker containers .
More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.2 release announcements .
elrido
released this
Oct 10, 2017
·
1210 commits
to master
since this release
This release fixes leakage of configuration and raw pastes that can occur in some setups.
On 29th of September, @pstn reported a medium data leak vulnerability in PrivateBin. If either a) a non-apache webserver is used or b) apache has "AllowOverride" disabled and the installation was not secured by changing the path of sensitive folders, these can be accessed from the outside. This release fixes this by converting these files from INI/JSON to php files, so that they are protected even under those conditions.
Further details on why this is an issue and its implications can be found in our report on the vulnerability . It also describes methods to check if your server is currently affected by the issue.
Even if you are currently using an apache server and are not affected by this issue, we would advise to plan to update soon. Some of the sites affected by this reported that they had changed their webserver setup, inadvertedly becoming affected. You might do the same in the future, too, and forget to check your PrivateBin setups security.
Alternatively consider to securing your installation by changing the path of folders containing sensitive information. We have updated our installation instructions , stressing our security recommendations.
Apart from updating the libraries and the javascript files, make sure that your PHP process can also write to the cfg folder. The next call to your privatebin installation will convert the conf.ini file into conf.php . Accessing pastes will convert these, too. Additionally we also are hooking into the purge mechanism to gradually convert pastes that are not frequently accessed.
Note: @rugk has updated his expired pgp key. The fingerprint stayed the same , but you may need to update it .
Fire Penetration
Russian Teen Double Penetration
Big Tits Double Penetration Porno
Hard Sex Old
Overwatch Christmas
.jpg)
