5,000 pts
@zhuowei found that malicious x-github-client: URLs could be crafted, leading to arbitrary remote code execution when visited by users. This vulnerability was fixed in version 0.5.6 of the GitHub Desktop application.
500 pts
@zhuowei reported an XSS vulnerability in the sandbox domain we use for proxying images coming from non-HTTPS sources. If the Content-Type header existed in the proxied response, we were checking that it contained an image media type. Responses without a Content-Type header were forwarded though.
Firefox and Internet Explorer attempt to guess the content-type of resources that do not specify a Content-Type header. This is a very old issue that often leads to XSS. By using our image proxy to request an HTML resource that does not specify a content-type, an attacker could have caused an arbitrary HTML file to be served from our image-proxy domain.
While this vulnerability existed in a sandbox domain, largely intended to mitigate the risk of serving user-supplied content, we still took the threat seriosuly. We addressed the behavior by disallowing responses not containg a Content-Type header. We also moved the image proxy to a domain that is not a subdomain of GitHub.com.
