nyxfqq/gist:a6da3fe6128b978ea1aaa5df639d5f98

## gistfile1.txt
 [Suggested description]
 Default configurations in the ShareProofVerifier function of filestash
 v0.4 causes the application to skip the TLS certificate verification
 process when sending out email verification codes, possibly allowing
 attackers to access sensitive data via a man-in-the-middle attack.

In the current implementation of the ShareProofVerifier function within share.go
found at github.com/m/mickael-kerjean/filestash/server/model,
the TLS verification is being bypassed when sending out email
verification codes. This practice is explicitly warned against in
the gomail package documentation, stating that it is insecure and
should not be used in a production environment.

 ------------------------------------------

 [Vulnerability Type]
 Missing SSL Certificate Validation

------------------------------------------

 [Vendor of Product]
 https://github.com/mickael-kerjean/filestash

 ------------------------------------------

 [Affected Product Code Base]
filestash - <=0.4

 ------------------------------------------

 [Affected Component]
 Use email authentication, mickael-kerjean/filestash/server/model/share.go

 ------------------------------------------

 [Attack Type]
 Remote

 ------------------------------------------

 [Impact Escalation of Privileges]
 true

 ------------------------------------------

 [Impact Information Disclosure]
 true

 ------------------------------------------

 [Attack Vectors]
 Use email authentication

 ------------------------------------------

 [Reference]
 https://github.com/mickael-kerjean/filestash
 https://github.com/mickael-kerjean/filestash/issues/709
 https://pkg.go.dev/gopkg.in/gomail.v2#section-readme

 ------------------------------------------

 [Discoverer]
 Bingyu Li
	[Suggested description]
	Default configurations in the ShareProofVerifier function of filestash
	v0.4 causes the application to skip the TLS certificate verification
	process when sending out email verification codes, possibly allowing
	attackers to access sensitive data via a man-in-the-middle attack.

	In the current implementation of the ShareProofVerifier function within share.go
	found at github.com/m/mickael-kerjean/filestash/server/model,
	the TLS verification is being bypassed when sending out email
	verification codes. This practice is explicitly warned against in
	the gomail package documentation, stating that it is insecure and
	should not be used in a production environment.

	------------------------------------------

	[Vulnerability Type]
	Missing SSL Certificate Validation

	------------------------------------------

	[Vendor of Product]
	https://github.com/mickael-kerjean/filestash

	------------------------------------------

	[Affected Product Code Base]
	filestash - <=0.4

	------------------------------------------

	[Affected Component]
	Use email authentication, mickael-kerjean/filestash/server/model/share.go

	------------------------------------------

	[Attack Type]
	Remote

	------------------------------------------

	[Impact Escalation of Privileges]
	true

	------------------------------------------

	[Impact Information Disclosure]
	true

	------------------------------------------

	[Attack Vectors]
	Use email authentication

	------------------------------------------

	[Reference]
	https://github.com/mickael-kerjean/filestash
	https://github.com/mickael-kerjean/filestash/issues/709
	https://pkg.go.dev/gopkg.in/gomail.v2#section-readme

	------------------------------------------

	[Discoverer]
	Bingyu Li