Here you go: https://bin.langille.org/index.php?6b303e2d3c1b1892#DhseA3n5Mg7usWAzXXZnT6x4V8cWKWqHx8x8hkWJqaEt or https://bin.langille.org/?6b303e2d3c1b1892#DhseA3n5Mg7usWAzXXZnT6x4V8cWKWqHx8x8hkWJqaEt (viewing is not protected after all, so makes no difference.)

It's exactly as described (easily testable with browser dev tools.)

Note for reproducers: You need to add a breakpoint here to get the encryption key on failure and encode it (CryptTool.base58encode(symmetricKey); as the original code does it) and copy it:

As I don't know how to fix that in a second, and such a new config would need testing, I just added a warning to that page. I am also unsure how we'd further proceed, – after all I am not sure who possibly used that guide in our wiki.

I am escalating that internally somewhat, because I see that it was kinda official part of the wiki and must not stand there as it does now.

I am also unsure how we'd further proceed, – after all I am not sure who possibly used that guide in our wiki.

What about adding it as a note to the next release? When that happens, social media takes over. I for one will help spread the news. When it's a security issue the news will spread fast. Care needs to be taken to emphasise that it is a configuration issue, not a PrivateBin issue.

Full disclosure: I work for an infosec company, but in sysadmin, not in analysis.

From my first glance, I agree, your solution should not have this flaw. It would likely also be useful to re-document your solution as an alternative example, too.

Not trying to throw blame, but given the profile of the project, you should probably lock wiki edits to contributors only, or at least have maintainers verify edits before publishing. This issue went unnoticed since 2019 and there's no way to know who might have used it.

We'll discuss that internally certainly. What I can say, however, already, is that “verify edits before publishing” is AFAIK technically not possible in GitHub. Either a wiki is editable by all or by none (only contributors can edit it).

Yeah, you'd need to extract the wiki to regular files in a git repo, perhaps GitHub pages, and then non-maintainers can submit PRs.

In my testing, it does. I now cannot POST it to index.php anymore/it requires authentication.

Thanks for testing, I've updated the snippet in the wiki accordingly.

Thank you. I'm sorry for this.

No need to be sorry, mistakes happen. The good thing is it has been noticed, and we are currently evaluating how to react now and especially further improve it all here to prevent errors like this from happening (like having a second pair of eyes looking upon the wiki or so), but that is to be decided later.