GL01-012 Default admin credentials and search engine indexing (Medium)

[vecna]

The default Globaleaks installation sets up known, public, default administrator credentials and no protection against search engine indexing (i.e. no robots.txt file). This may facilitate:

• Finding the Globaleaks node via search engines
• Gaining remote admin access to the front-end of the Globaleaks node via default credentials (also published in the wiki).

This vulnerability is partially mitigated because the administrator is prompted to change the default password once they login through the front-end and by default the Globaleaks node only listens for connections from localhost. However, it may still be possible that the administrator makes the node site publicly available and enables remote access from all IPs before they change the default admin password. In order to solve this problem we suggest the following mitigations:

• The installation scripts and/or the process that starts globaleaks should prompt the user to choose a long and complex password the first time: This ensures Globaleaks default passwords are no longer a problem.
  • The default installation should contain a robots.txt file containing the following:

User-agent: * Disallow: /

This configuration ensures that by default search engine indexing is not allowed and Globaleaks node administrators would be significantly less likely to become Google Dorks.

[fpietrosanti]

This will be mitigated mostly by #164

[fpietrosanti]

Globaleaks does not by default Expose to search Engine because tor2web by default block it, i'd consider this issue low impact

[fpietrosanti]

applied security tag

[evilaliv3]

fixed with commit: https://github.com/globaleaks/GLBackend/commit/deb8d4cf2c6a0dc21c94206452fb1c0cfa2f753d

implemented robots.txt support (handled in static fashion but i don't think we will never need a dynamic solution for this)

the remaining part of this issue will be mitigated mostly by #164 so i'm going to close this ticket.