Opened 3 years ago

Closed 14 months ago

#23578 closed defect (fixed)

Don't include full path of error messages in OONI explorer's error page

Reported by: gk Owned by: hiro
Priority: Medium Milestone:
Component: Webpages/Webtools Version:
Severity: Normal Keywords:
Cc: hellais Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


We got a HackerOne report by yox about a full path disclosure on OONI explorer error page:


This security vulnerability could potentially allow a malicious hacker to map an attack against internal systems. For example, if this were to be chained with another vulnerability such as path traversal; it may lead to compromise of internal systems.

Typically these sort of errors occur from incorrect data types, in this case it seems like it is just a simple 404 page which is however leaking too much information to the user.

A best practice method is to log these type of errors to a local text file, while showing the user a friendly 404 message. This is often achieved by disabling error reporting on the application side.

Child Tickets

Change History (4)

comment:1 Changed 3 years ago by hellais

I filed a ticket for this here:

To be honest I don't consider this a security issue as all the paths that are disclosed there (and all paths in general for OONI infrastructure) are public anyways on our ooni-sysadmin repository (example for ooni-explorer:

I think it's a good idea to do this, though, to improve the usability of the website.

comment:2 Changed 14 months ago by arma

gk, hellais, ok to close this ticket?

comment:3 Changed 14 months ago by hellais

gk, hellais, ok to close this ticket?

Yes for sure. We have since launched a new version of OONI Explorer based on a new codebase so this is no longer relevant.

comment:4 Changed 14 months ago by gk

Resolution: fixed
Status: newclosed

Fixed by the new code base then.

Note: See TracTickets for help on using tickets.