[ooni-dev] OONI team report April 2014

[Arturo Filastò]

# OONI team report April 2014

## Least Authority security audit

This month we mainly focused on addressing the issues raised during the
Least Authority audit of the application.

In particular the following issues were found and a resolution for them
has been provided.

No critical vulnerability has been found inside of the probe software.
Users are nonetheless highly encouraged to update to the latest version
of ooni-probe as soon as a release is out.

* Issue A. CSRF Token Not Compared in Constant Time
https://github.com/TheTorProject/ooni-probe/issues/317

* Issue B. Arbitrary File Write in Input File Uploader
https://github.com/TheTorProject/ooni-probe/issues/318

* Issue C. User Input Written to Logs:
https://github.com/TheTorProject/ooni-probe/issues/302

* Issue D. Tor Build Script Downloads zlib Over HTTP:
https://github.com/TheTorProject/ooni-probe/issues/303

* Issue E. Denial of Service by Uploading Lots of Header Lines:
https://github.com/TheTorProject/ooni-probe/issues/304

* Issue G. Cross-Site Scripting in HTTPRandomPage:
https://github.com/TheTorProject/ooni-probe/issues/305

* Issue F. `oonid` Lacks Authentication Checks
https://github.com/TheTorProject/ooni-probe/issues/319

## Improvements to ooni-probe

* Added support for recording the Tor Exit IP used when performing the
http_requests test:
https://github.com/TheTorProject/ooni-probe/issues/81
https://github.com/TheTorProject/ooni-probe/pull/299

* We now have a manpage for the ooniprobe cli tool.
https://github.com/TheTorProject/ooni-probe/pull/315

* Fixed an issue that lead to unittests writing outside the build
directory leading to the debian package build bot complaining:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743108
https://github.com/TheTorProject/ooni-probe/pull/314

* The bridge_reachability test now supports fteproxy and includes the
Tor version in the report:
https://github.com/TheTorProject/ooni-probe/pull/297

~ Art.