Note re-creation vulnerability

[ekoyle]

The web UI will allow a client-generated private id to be used (by altering the value of the hidden new_url input), which allows a malicious user to view and/or modify a note without detection.

After viewing the note, the malicious user only needs to re-create it using the same private id and (optional) passphrase. The note could be identical or modified, and there is no way for the intended recipient to detect this. A note can also be overwritten without being viewed first if the private id is known.

I recommend using a server-side secret to validate that the private id was generated on the server and not by a malicious user. It would also be a good idea to include a timestamp to validate the private id was generated recently.

[DFF-fred]

I updated my installation but am now getting a 500 error. The error.log file says: UndefinedError: 'note' is undefined Where should I define it, and how?

[ekoyle]

Was there a traceback?

It could be that I have different versions of libraries.

Also, there are two new config options that need to be added to dnote.py:

server_secret - long, random string without special characters signature_validity - integer, default 300 seconds

On Wed, Jan 22, 2020, 02:17 DFF-fred notifications@github.com wrote:

I updated my installation but am now getting a 500 error. The error.log file says: UndefinedError: 'note' is undefined Where should I define it, and how?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/atoponce/d-note/issues/57?email_source=notifications&email_token=AAH76TT2PB35DUN7KKYI5GDQ7AFL7A5CNFSM4KJ4I3I2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJSZ5SQ#issuecomment-577085130, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAH76TRQR2HP6DMORYSKQA3Q7AFL7ANCNFSM4KJ4I3IQ .

[DFF-fred]

Yes there is a traceback. Here it is: [2020-01-22 09:14:03,309] ERROR in app: Exception on / [GET] Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1982, in wsgi_app response = self.full_dispatch_request() File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1614, in full_dispatch_request rv = self.handle_user_exception(e) File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1517, in handle_user_exception reraise(exc_type, exc_value, tb) File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1612, in full_dispatch_request rv = self.dispatch_request() File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1598, in dispatch_request return self.view_functionsrule.endpoint File "/usr/local/lib/python2.7/dist-packages/dnote-1.0.1-py2.7.egg/dnote/init.py", line 15, in index return render_template('index.html', random=note.url, error=error) File "/usr/lib/python2.7/dist-packages/flask/templating.py", line 134, in render_template context, ctx.app) File "/usr/lib/python2.7/dist-packages/flask/templating.py", line 116, in _render rv = template.render(context) File "/usr/lib/python2.7/dist-packages/jinja2/environment.py", line 1008, in render return self.environment.handle_exception(exc_info, True) File "/usr/lib/python2.7/dist-packages/jinja2/environment.py", line 780, in handle_exception reraise(exc_type, exc_value, tb) File "/usr/local/lib/python2.7/dist-packages/dnote-1.0.1-py2.7.egg/dnote/templates/index.html", line 1, in top-level template code {% extends "base.html" %} File "/usr/local/lib/python2.7/dist-packages/dnote-1.0.1-py2.7.egg/dnote/templates/base.html", line 73, in top-level template code {% block content %}{% endblock %} File "/usr/local/lib/python2.7/dist-packages/dnote-1.0.1-py2.7.egg/dnote/templates/index.html", line 27, in block "content" <input name="new_url" type="hidden" value="{{ note.url }}" /> File "/usr/lib/python2.7/dist-packages/jinja2/environment.py", line 430, in getattr return getattr(obj, attribute) UndefinedError: 'note' is undefined

Also I didn't find any dnote.py. Are you referring to d-note.ini or note.py?

Thank you.

[ekoyle]

It looks like dnote/init.py did not get updated on your installation.

dnote.py should be in either /etc/dnote or ~/.dnote/ .

-- Eldon

On Thu, Jan 23, 2020, 02:56 DFF-fred notifications@github.com wrote:

Yes there is a traceback. Here it is: [2020-01-22 09:14:03,309] ERROR in app: Exception on / [GET] Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1982, in wsgi_app response = self.full_dispatch_request() File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1614, in full_dispatch_request rv = self.handle_user_exception(e) File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1517, in handle_user_exception reraise(exc_type, exc_value, tb) File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1612, in full_dispatch_request rv = self.dispatch_request() File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1598, in dispatch_request return self.view_functionsrule.endpoint File "/usr/local/lib/python2.7/dist-packages/dnote-1.0.1-py2.7.egg/dnote/init.py", line 15, in index return render_template('index.html', random=note.url, error=error) File "/usr/lib/python2.7/dist-packages/flask/templating.py", line 134, in render_template context, ctx.app) File "/usr/lib/python2.7/dist-packages/flask/templating.py", line 116, in _render rv = template.render(context) File "/usr/lib/python2.7/dist-packages/jinja2/environment.py", line 1008, in render return self.environment.handle_exception(exc_info, True) File "/usr/lib/python2.7/dist-packages/jinja2/environment.py", line 780, in handle_exception reraise(exc_type, exc_value, tb) File "/usr/local/lib/python2.7/dist-packages/dnote-1.0.1-py2.7.egg/dnote/templates/index.html", line 1, in top-level template code {% extends "base.html" %} File "/usr/local/lib/python2.7/dist-packages/dnote-1.0.1-py2.7.egg/dnote/templates/base.html", line 73, in top-level template code {% block content %}{% endblock %} File "/usr/local/lib/python2.7/dist-packages/dnote-1.0.1-py2.7.egg/dnote/templates/index.html", line 27, in block "content" File "/usr/lib/python2.7/dist-packages/jinja2/environment.py", line 430, in getattr return getattr(obj, attribute) UndefinedError: 'note' is undefined Also I didn't find any dnote.py. Are you referring to d-note.ini or note.py?

Thank you.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/atoponce/d-note/issues/57?email_source=notifications&email_token=AAH76TU3VOJZBZD4LVYPN3TQ7FSVVA5CNFSM4KJ4I3I2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJWZXHA#issuecomment-577608604, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAH76TR4M76L4G2MQ7XWEDTQ7FSVVANCNFSM4KJ4I3IQ .

[DFF-fred]

Indeed I had 2 files out of 4 not updated. For some reasons Github is showing me the old version of the files, but the page with the changes is ok. Anyway I now think I did the changes right and the app is showing. Unfortunately when I click on Submit I get this: "Your request appears to have been tampered with. Please try again. error: could not convert string to float: None" And I didn't find any dnote.py. Are you referring to the 2 extra lines in generate_dnote_hashes? Then it reads from d-note.ini and generates a dconfig.py and I can see those 2 extra variables in it.

[ekoyle]

Sorry, it is dconfig.py .

This has not been merged yet, so can you try cloning my branch like this?

git clone --single-branch --branch verify_new_url https://github.com/ekoyle/d-note.git

On Thu, Jan 23, 2020, 20:51 DFF-fred notifications@github.com wrote:

Indeed I had 2 files out of 4 not updated. For some reasons Github is showing me the old version of the files, but the page with the changes is ok. Anyway I now think I did the changes right and the app is showing. Unfortunately when I click on Submit I get this: "Your request appears to have been tampered with. Please try again. error: could not convert string to float: None" And I didn't find any dnote.py. Are you referring to the 2 extra lines in generate_dnote_hashes? Then it reads from d-note.ini and generates a dconfig.py and I can see those 2 extra variables in it.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/atoponce/d-note/issues/57?email_source=notifications&email_token=AAH76TUQICV5TMAQ5MIIJGTQ7JQVBA5CNFSM4KJ4I3I2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJZUTMI#issuecomment-577980849, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAH76TV2Y2HVCEGHJKQWGK3Q7JQVBANCNFSM4KJ4I3IQ .

[DFF-fred]

oh.. well I think I verified the 5 files and they are similar now. I'll try to do that and revert to you, but might not happen right away as I need to go out right now. I'll let you know then. Thank you.

[DFF-fred]

So yes your branch works. I need to figure out what's not working in my version... Thank you very much for your help. ps: I just copied the template folder and it worked. I guess I must have omitted one of the changes when I manually added them. Thanks again for this great software!

[ekoyle]

@santiago-usu recommended just removing that variable from the, but I thought it was used by the hashcash validation. Upon further inspection, that does not appear to be the case.

Maybe it would be better to wait until after the post to generate the private_id/new_url?

Also, I kind of question the usefulness of the hashcash operation as it is implemented... the server isn't validating the browser fingerprint (not sure if this is possible), the date, or any other part of it besides ensuring the hash of it starts with '0000' -- the only restriction is that the token has not been used before. It would be trivial to find a long list of valid hashcash tokens.

[DFF-fred]

Hi! Note sure what is happening but the application suddenly stopped working. I reinstalled (a few times) and it seems the main repository is still at the old version? I also did an install from your as instructed above and am getting the same problem:

• On the same browser the 'secret' note opens or destroys
• if I send the note to a 3rd party by email or messaging app it fails saying "Error. The page you have requested cannot be found".

Looking into dnote/data I do not see any file create or hashcash.db as mentioned in the troubleshooting section and I set the data dir as 777 Any idea?

ps: I am having the same issue at https://ae7.st/d/

[ekoyle]

@DFF-fred this project doesn't seem to be maintained anymore. There are also some security concerns, the biggest of which is that the server gets every message in plain-text. Also, python2 is no longer supported.

My second PR (#59) is the simplest fix for this issue.

[DFF-fred]

Hi! Well thank you for the feedback. I've struggled a bit and finally found another maintained project doing the same called PrivateBin on github as well. Seems to be running fine so far.

Thanks again for your help.