[tor-bugs] #23578 [Webpages/Webtools]: Don't include full path of error messages in OONI explorer's error page
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Sep 19 09:21:03 UTC 2017
#23578: Don't include full path of error messages in OONI explorer's error page
-----------------------------------+------------------
Reporter: gk | Owner: hiro
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Webpages/Webtools | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-----------------------------------+------------------
We got a HackerOne report by yox about a full path disclosure on OONI
explorer error page:
https://explorer.ooni.torproject.org//x
{{{
Impact
This security vulnerability could potentially allow a malicious hacker to
map an attack against internal systems. For example, if this were to be
chained with another vulnerability such as path traversal; it may lead to
compromise of internal systems.
Mitigation
Typically these sort of errors occur from incorrect data types, in this
case it seems like it is just a simple 404 page which is however leaking
too much information to the user.
A best practice method is to log these type of errors to a local text
file, while showing the user a friendly 404 message. This is often
achieved by disabling error reporting on the application side.
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23578>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list