[tor-bugs] #30419 [Internal Services/Tor Sysadmin Team]: Apache's server-status page accessible via TPO onion services

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri May 10 20:28:48 UTC 2019


#30419: Apache's server-status page accessible via TPO onion services
-------------------------------------------------+-------------------------
 Reporter:  Parckwart                            |          Owner:  anarcat
     Type:  defect                               |         Status:  closed
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:  fixed
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by anarcat):

 == Context

 As documented in the
 [https://metrics.torproject.org/collector.html#webstats metrics pages],
 Tor webservers do not keep logs of visitors. The webserver (Apache) itself
 keeps those IP addresses in memory during the lifetime of the connection.
 This information can be disclosed on a /server-status page that is usually
 visible only to inside monitoring systems. A configuration error was
 introduced on March 19th 2019 which allowed onion services to access that
 page which could be used to access that information. This issue was
 reported in the Trac bugtracker (issue #30419) on May 6th 2019 and was
 fixed within the hour.

 == Mitigation

 The server-status page was checked and the issue was confirmed. A check in
 the git history found the bug and resolved it, and an audit was performed
 to see if the issue was correctly resolved. Analysis of the logs suggests
 there wasn't a significant increase in requests to /server-status.

 Patch that introduced the bug:

 {{{
 commit 8ba7d37b9b2e2431e201752a1eb69a9bcce483e1
 Date:   Tue Mar 19 16:50:44 2019 -0400

     port server-status configuration to Apache 2.4

     I verified that all hosts run at least Apache 2.4.10-10+deb8u13,
     shipped with Debian jessie.

     This is necessary for the apache collector to work.

 diff --git a/modules/apache2/files/common/etc/apache2/conf.d/server-status
 b/modules/apache2/files/common/etc/apache2/conf.d/server-status
 index 1a44e9b9..9362bcc2 100644
 --- a/modules/apache2/files/common/etc/apache2/conf.d/server-status
 +++ b/modules/apache2/files/common/etc/apache2/conf.d/server-status
 @@ -11,8 +11,6 @@
      ExtendedStatus on
      <Location /server-status>
          SetHandler server-status
 -        Order deny,allow
 -        Deny from all
 -        Allow from 127.0.0.1
 +        Require local
      </Location>
  </IfModule>
 }}}

 Patch that fixed it:

 {{{
 commit 19d5a30ca88fba4aa57d2574774c72d344114b1a
 Date:   Mon May 6 19:47:36 2019 -0400

     hide server-status from tor hidden services

     This is a hotfix for bug #30419 which correctly identified that the
     server-status pages are accessible when the webserver is accessed
     through the hidden service. It's unclear to me why "local" isn't
     equivalent to "127.0.0.1" but this fixes the problem on
     troodi/trac/ea5faa5po25cf7fb.onion so I'm satisfied.

     This was a regression introduced since march 19th, in commit
     8ba7d37b9b2e2431e201752a1eb69a9bcce483e1.

 diff --git a/modules/apache2/files/common/etc/apache2/conf.d/server-status
 b/modules/apache2/files/common/etc/apache2/conf.d/server-status
 index 9362bcc2..0da33673 100644
 --- a/modules/apache2/files/common/etc/apache2/conf.d/server-status
 +++ b/modules/apache2/files/common/etc/apache2/conf.d/server-status
 @@ -11,6 +11,6 @@
      ExtendedStatus on
      <Location /server-status>
          SetHandler server-status
 -        Require local
 +        Require ip 127.0.0.1
      </Location>
  </IfModule>
 }}}

 == Timeline

 All times in UTC starting on 2019-05-07:

  * 22:56:49 bug #30419 opened
  * 23:36:04 noticed by anarcat
  * 23:38:00 source of the problem identified
  * 23:47:36 patch implemented
  * 23:50:46 patch pushed to puppet
  * 23:50:57 issue claimed by anarcat
  * 00:00:00 (approximate) fix deployed everywhere, checks started
  * 00:38:30 all .onion sites from onion.tpo and ticket audited
  * 00:49:00 this report started
  * 01:14:00 audit of the webserver logs completed

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30419#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list