Re: [Freedombox-discuss] Security/privacy issue for users of Tor onion service or Pagekite

To: freedombox-discuss@alioth-lists.debian.net, debian-freedombox@lists.debian.org
Subject: Re: [Freedombox-discuss] Security/privacy issue for users of Tor onion service or Pagekite
From: Petter Reinholdtsen <pere@hungry.com>
Date: Tue, 25 Aug 2020 08:25:41 +0200
Message-id: <[🔎] sa6o8mz1btm.fsf@hjemme.reinholdtsen.name>
In-reply-to: <[🔎] 389b33ab-66c7-95b2-2328-3628edac0862@mailbox.org>
References: <[🔎] 389b33ab-66c7-95b2-2328-3628edac0862@mailbox.org>

[James Valleroy]
> An issue has been found in FreedomBox that allows anonymous and
> unauthorized users to access private and potentially security relevant
> information. The information is shown on an Apache Server Status page
> and includes the IP address and URL request path for clients accessing
> pages on the server.

Ouch, that was nasty.  Anyone could via pagekite look at some of the
valid URLs visited on my Freedombox.  Luckily all of them require
authentication, and the only IP address exposed is on the private
(192.168/16) net inside my house.

Is there a CVE assigned to this issue?

-- 
Happy hacking
Petter Reinholdtsen

Reply to:

References:
- Security/privacy issue for users of Tor onion service or Pagekite
  - From: James Valleroy <jvalleroy@mailbox.org>

Prev by Date: Security/privacy issue for users of Tor onion service or Pagekite
Previous by thread: Security/privacy issue for users of Tor onion service or Pagekite
Index(es):
- Date
- Thread