Latest release does not have actual fix for local JSONRPC issue

[strazzere]

So I was doing some auditing of some repos and noticed that the last pull request that was merged is not the full fix for spesmilo#3374. So all the new releases for both TOR and non-TOR electrum-vtc as still affected by this issue.

The only patch you applied was Disable CORS for JSON-RPC, spesmilo@fdd10bf, which was applied at 86767e2.

Which is not the full fix as an attacker could simply use exploitable via DNS rebinding from a web site, or any local application would have access.

I verified that none of the newest releases contain extra code as well and contain this issue. This is readily reproducible if you simply look for the socket being opened on the localhost and send a POST to it.

[metalicjames]

At the time of the fix CORS was the available patch. Local applications would have access anyway, since they could read the RPC user/pass from disk. That's the same with Vertcoin Core even. DNS rebinding is something I am unfamiliar with.

However, I will apply the additional RPC password protection patch and provide new release shortly nonetheless.

[strazzere]

There is a good explanation to DNS rebinding in spesmilo#3374, but the TLDR is that it isn't a hard thing to do.

With regards to the local apps reading the pass from disk - this isn't exactly true since this app is actually for many different platforms. E.g. - On Android this isn't possible for another app to read the config, but it would be perfectly fine for all the apps that have the internet permission to interact with this socket.

[metalicjames]

Potential fix: #81

[strazzere]

The fix looks fine by me with regards to the jsonrpc fixes, I've already evaluated them on the original git repo. Thanks for the speedy pull. I'd have done it myself, but just haven't had any of the time.

Thanks!

[metalicjames]

Fixed in /~https://github.com/vertcoin/electrum-vtc/releases/tag/2.9.3.6 and /~https://github.com/vertcoin/electrum-vtc/releases/tag/2.9.3.6-tor