search

globaleaks / APAF

Anonymous Python Application Framework
33 stars 15 forks source link

Default APAF hidden service serves /tmp #44

Open aagbsn opened 11 years ago

aagbsn commented 11 years ago

The default static web service bundled with APAF serves the contents of the system /tmp directory.

Instructions for reproducing: (on Fedora 17 with python-virtualenv)

(install virtualenv, virtualenvwrapper -- yum install python-virtualenv python-virtualenvwrapper) mkvirtualenv VIRTUAL_ENVIRONMENT (will automatically activate this virtualenv) (install dependencies and apaf) cd /path/to/APAF; python apaf/main.py

look for the hidden service .onion address from the following lines: (timestamp) [TorControlProtocol,client] panel service running at ONION_ADDRESS_1.onion (timestamp) [TorControlProtocol,client] staticwebserver service running at ONION_ADDRESS_2.onion

navigate to http://SOME_OTHER_ONION.onion and observe the contents of /tmp

This could leak information about other services on the system.

Suggested fix: set the root of the web service to a new empty directory.

fpietrosanti commented 11 years ago

Maybe there's also a bug related to the persistance of the TorHS key, right?