Re: [Freedombox-discuss] Security/privacy issue for users of Tor onion service or Pagekite

To: debian-freedombox@lists.debian.org
Subject: Re: [Freedombox-discuss] Security/privacy issue for users of Tor onion service or Pagekite
From: James Valleroy <jvalleroy@mailbox.org>
Date: Wed, 9 Sep 2020 08:59:10 -0400
Message-id: <[🔎] 5340998a-cb2d-8f59-0cb5-761118c3807c@mailbox.org>
In-reply-to: <sa6o8mz1btm.fsf@hjemme.reinholdtsen.name>
References: <389b33ab-66c7-95b2-2328-3628edac0862@mailbox.org> <sa6o8mz1btm.fsf@hjemme.reinholdtsen.name>

On 8/25/20 2:25 AM, Petter Reinholdtsen wrote:
> [James Valleroy]
>> An issue has been found in FreedomBox that allows anonymous and
>> unauthorized users to access private and potentially security relevant
>> information. The information is shown on an Apache Server Status page
>> and includes the IP address and URL request path for clients accessing
>> pages on the server.
> 
> Ouch, that was nasty.  Anyone could via pagekite look at some of the
> valid URLs visited on my Freedombox.  Luckily all of them require
> authentication, and the only IP address exposed is on the private
> (192.168/16) net inside my house.
> 
> Is there a CVE assigned to this issue?

Yes, it is now assigned CVE-2020-25073.

https://security-tracker.debian.org/tracker/CVE-2020-25073

--
James

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Next by Date: FreedomBox 20.14 released
Next by thread: FreedomBox 20.14 released
Index(es):
- Date
- Thread