Opened 2 years ago

Closed 4 days ago

#23578 closed defect (fixed)

Don't include full path of error messages in OONI explorer's error page

Reported by: gk Owned by: hiro
Priority: Medium Milestone:
Component: Webpages/Webtools Version:
Severity: Normal Keywords:
Cc: hellais Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We got a HackerOne report by yox about a full path disclosure on OONI explorer error page:

https://explorer.ooni.torproject.org//x

Impact

This security vulnerability could potentially allow a malicious hacker to map an attack against internal systems. For example, if this were to be chained with another vulnerability such as path traversal; it may lead to compromise of internal systems.
Mitigation

Typically these sort of errors occur from incorrect data types, in this case it seems like it is just a simple 404 page which is however leaking too much information to the user.

A best practice method is to log these type of errors to a local text file, while showing the user a friendly 404 message. This is often achieved by disabling error reporting on the application side.

Child Tickets

Change History (4)

comment:1 Changed 2 years ago by hellais

I filed a ticket for this here: https://github.com/TheTorProject/ooni-explorer/issues/116.

To be honest I don't consider this a security issue as all the paths that are disclosed there (and all paths in general for OONI infrastructure) are public anyways on our ooni-sysadmin repository (example for ooni-explorer: https://github.com/TheTorProject/ooni-sysadmin/blob/master/ansible/roles/ooni-explorer/vars/main.yml#L3).

I think it's a good idea to do this, though, to improve the usability of the website.

comment:2 Changed 5 days ago by arma

gk, hellais, ok to close this ticket?

comment:3 Changed 4 days ago by hellais

gk, hellais, ok to close this ticket?

Yes for sure. We have since launched a new version of OONI Explorer based on a new codebase so this is no longer relevant.

comment:4 Changed 4 days ago by gk

Resolution: fixed
Status: newclosed

Fixed by the new code base then.

Note: See TracTickets for help on using tickets.