[ooni-dev] OONI team report April 2014
art at torproject.org
Mon May 5 13:47:29 UTC 2014
# OONI team report April 2014
## Least Authority security audit
This month we mainly focused on addressing the issues raised during the
Least Authority audit of the application.
In particular the following issues were found and a resolution for them
has been provided.
No critical vulnerability has been found inside of the probe software.
Users are nonetheless highly encouraged to update to the latest version
of ooni-probe as soon as a release is out.
* Issue A. CSRF Token Not Compared in Constant Time
* Issue B. Arbitrary File Write in Input File Uploader
* Issue C. User Input Written to Logs:
* Issue D. Tor Build Script Downloads zlib Over HTTP:
* Issue E. Denial of Service by Uploading Lots of Header Lines:
* Issue G. Cross-Site Scripting in HTTPRandomPage:
* Issue F. `oonid` Lacks Authentication Checks
## Improvements to ooni-probe
* Added support for recording the Tor Exit IP used when performing the
* We now have a manpage for the ooniprobe cli tool.
* Fixed an issue that lead to unittests writing outside the build
directory leading to the debian package build bot complaining:
* The bridge_reachability test now supports fteproxy and includes the
Tor version in the report:
More information about the ooni-dev