Opened 21 months ago

Last modified 21 months ago

#23578 new defect

Don't include full path of error messages in OONI explorer's error page

Reported by: gk Owned by: hiro
Priority: Medium Milestone:
Component: Webpages/Webtools Version:
Severity: Normal Keywords:
Cc: hellais Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We got a HackerOne report by yox about a full path disclosure on OONI explorer error page:

https://explorer.ooni.torproject.org//x

Impact

This security vulnerability could potentially allow a malicious hacker to map an attack against internal systems. For example, if this were to be chained with another vulnerability such as path traversal; it may lead to compromise of internal systems.
Mitigation

Typically these sort of errors occur from incorrect data types, in this case it seems like it is just a simple 404 page which is however leaking too much information to the user.

A best practice method is to log these type of errors to a local text file, while showing the user a friendly 404 message. This is often achieved by disabling error reporting on the application side.

Child Tickets

Change History (1)

comment:1 Changed 21 months ago by hellais

I filed a ticket for this here: https://github.com/TheTorProject/ooni-explorer/issues/116.

To be honest I don't consider this a security issue as all the paths that are disclosed there (and all paths in general for OONI infrastructure) are public anyways on our ooni-sysadmin repository (example for ooni-explorer: https://github.com/TheTorProject/ooni-sysadmin/blob/master/ansible/roles/ooni-explorer/vars/main.yml#L3).

I think it's a good idea to do this, though, to improve the usability of the website.

Note: See TracTickets for help on using tickets.