[tor-mirrors] Mirror Takedown

moparisthebest tor at moparisthebest.com
Fri Jun 6 16:01:23 UTC 2014

Hello John,

It sounds like your web server is (mis)configured to blindly execute any
script it finds.  I'd suggest you configure it to execute only
whitelisted scripts in general, or at minimum to just never execute
scripts found in the tor mirror directory.  If you can't reconfigure the
webserver for some reason, you could always just rsync to a temporary
directory, run `find /path/to/temp/dir -type f -name '*.php' -print0 |
xargs -0 rm` to delete all files your webserver would execute, and then
rsync or move that to the proper public directory.

I just hate to see someone stop running a mirror just because of a
'security concern' that is so easily remedied.  If you have more
concerns or configuration questions, just let me know.


>Hi Andrew,
>It is theoretically possible for someone in between my server and Tor
to modify the request to run various PHP and other scripts and connect
directly to the MySQL databases.
>On May 3, 2014, at 9:33 PM, Andrew Lewman <andrew at torproject.is> wrote:
>> On Sat, May 03, 2014 at 05:47:16PM -0700, sweeney at riseup.net wrote
0.3K bytes in 0 lines about:
>> : Do to security concerns with the rsync not being encrypted, I have
taken down my mirror otivpn.com. Please remove it.
>> What "security concerns" would those be?
>> removed just the same.
>> --
>> Andrew
>> pgp 0x6B4D6475
>> _______________________________________________
>> tor-mirrors mailing list
>> tor-mirrors at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-mirrors

More information about the tor-mirrors mailing list