[tor-talk] GlobaLeaks directory traversal vulnerability has been discovered and fixed

Giovanni Pellerano giovanni.pellerano at evilaliv3.org
Sun Feb 22 17:24:06 UTC 2015

Security Advisory - 22 February 2015 18:00 CET

GlobaLeaks directory traversal vulnerability has been discovered and fixed

GlobaLeaks software, starting from recent version 2.60.54 released 28
January 2015 during an intensive session of customization for new
whistleblowing projects, introduced a directory traversal vulnerability.

On 16 February 2015, with release of version 2.60.62 the issue has been

We invite anyone that installed or upgraded GlobaLeaks software between
28 January and 16 February, whose initiative is not publicly indexed on
Wikipedia, to upgrade!

Vulnerable versions
The GlobaLeaks versions reported to be vulnerable:
2.60.61 - 2015-02-12
2.60.60 - 2015-02-10
2.60.59 - 2015-02-10
2.60.58 - 2015-02-04
2.60.57 - 2015-02-03
2.60.56 - 2015-02-03
2.60.55 - 2015-01-29
2.60.54 - 2015-01-28

The vulnerability could potentially enabled downloading all files in
/var/globaleaks/ directory, except for Tor Hidden Service key (due to

Out of the initiatives publicly using GlobaLeaks [1], only 4 out of 23
were found to be vulnerable due to installation/upgrades done in the
past few weeks.

We coordinated in few hours the release of the fix and the upgrades with
the adopters and the infrastructure partners that are now safe from this

An analysis of the log files of /var/globaleaks/log/globaleaks* with
that 4 users revealed no disclosure of sensitive information, like the
configuration database of the GlobaLeaks node.

To check for exploitation of this vulnerability the right command is:
grep '///&#47' /var/globaleaks/log/*.log*

The vulnerability has been introduced with commit
4d59f7cc23256abf0e26755b0005044813e9c225 [2] fixing the issue #1110 [3].
The vulnerability has been fixed in commit
495c8e33a98e29a4bbe471f98d240ee9e077c738 [4].

It shall be further noted that, if globaleaks were deployed on a system
without AppArmor properly activated/installed, the vulnerability would
enable the download of all files of the system that are world-wide
readable, because of a collateral bug that did not prevent globaleaks
from starting if AppArmor was not available (but enabled, as it is by
Release 2.60.62 fix this issue also; now GlobaLeaks won't start if the
AppArmor check fails.

It should be noted that since all submitted documents are encrypted
using openPGP this content was never exposed or endangered due to this bug.

We want to thanks a hacker (that prefers to remain un-named), supporter
of opensource and anonymity software, that spotted the security bug and
responsibly reported to us, allowing an ordered handling of the issue.

As GlobaLeaks team we apologize for the inconvenience and for the
pressure we’ve put on the adopters to upgrade so quickly and to assess
if any real information exposure happened.

This vulnerability has been introduced by mistake by working/supporting
the customizations and improvements of new whistleblowing projects that
are now starting on a monthly basis, bringing a lot of pressure.

We’re better organizing our procedures, getting out from
over-working/under-pressure, with proper code-review and release
management for any new public release.

The many major improvement being done under 2014-2015 Roadmap will
further improve the software with multi-process segregated architecture
(postfix’s like) and client-side encryption.

We are committed to full transparency regarding our software development
practices, including security vulnerabilities, publishing all
Penetration Tests Results [5], inviting for new bugs to be spotted by
hackers that work for the greater good with our Bug Bounty program [6].

[1] https://en.wikipedia.org/wiki/GlobaLeaks#Implementations
[3] https://github.com/globaleaks/GlobaLeaks/issues/1110
[5] https://github.com/globaleaks/GlobaLeaks/wiki/Penetration-Tests
[6] https://www.globaleaks.org/bughunting/

HERMES Center for Transparency and Digital Human Rights
GlobaLeaks Project https://globaleaks.org
Contact: info at globaleaks.org
IRC: irc.oftc.net #globaleaks

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20150222/f246856b/attachment.sig>

More information about the tor-talk mailing list