# OONI team report April 2014 ## Least Authority security audit This month we mainly focused on addressing the issues raised during the Least Authority audit of the application. In particular the following issues were found and a resolution for them has been provided. No critical vulnerability has been found inside of the probe software. Users are nonetheless highly encouraged to update to the latest version of ooni-probe as soon as a release is out. * Issue A. CSRF Token Not Compared in Constant Time https://github.com/TheTorProject/ooni-probe/issues/317 * Issue B. Arbitrary File Write in Input File Uploader https://github.com/TheTorProject/ooni-probe/issues/318 * Issue C. User Input Written to Logs: https://github.com/TheTorProject/ooni-probe/issues/302 * Issue D. Tor Build Script Downloads zlib Over HTTP: https://github.com/TheTorProject/ooni-probe/issues/303 * Issue E. Denial of Service by Uploading Lots of Header Lines: https://github.com/TheTorProject/ooni-probe/issues/304 * Issue G. Cross-Site Scripting in HTTPRandomPage: https://github.com/TheTorProject/ooni-probe/issues/305 * Issue F. `oonid` Lacks Authentication Checks https://github.com/TheTorProject/ooni-probe/issues/319 ## Improvements to ooni-probe * Added support for recording the Tor Exit IP used when performing the http_requests test: https://github.com/TheTorProject/ooni-probe/issues/81 https://github.com/TheTorProject/ooni-probe/pull/299 * We now have a manpage for the ooniprobe cli tool. https://github.com/TheTorProject/ooni-probe/pull/315 * Fixed an issue that lead to unittests writing outside the build directory leading to the debian package build bot complaining: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743108 https://github.com/TheTorProject/ooni-probe/pull/314 * The bridge_reachability test now supports fteproxy and includes the Tor version in the report: https://github.com/TheTorProject/ooni-probe/pull/297 ~ Art.