Closed chadwhitacre closed 6 years ago
Agreed!
gratipay-or-bountysource.guide grtp.co gttp.co
aspen.io gip.rocks gittip.co gittip.com gittip.org gratipay.co gratipay.com gratipay.net gratipay.org motivate.im simplates.org
I made some changes to DNS here, added v=spf1 -all
to most everything. I didn't touch gittip.com or gratipay.com. I want better tooling (an Inside Gratipay appendix) to at least visualize if not manage our DNS.
Is SPF the only thing we need to configure to properly communicate that a domain doesn't send mail? We only need DKIM and DMARC for domains that do send mail, right?
Yes.
configure SPF and whatever else
This should dampen most of the noise reports:
v=spf1 -all
v=DMARC1\; p=reject\; pct=100\; rua=mailto:security@gratipay.com\; ruf=mailto:security@gratipay.com
Since Aspen will get his own HackerOne program, we should remove the related domains from the list.
I'll take a quick look at the Gratipay-related domains so we won't miss obvious vulnerabilities before adding it to the scope.
Spent ~30 minutes on this. Let's discuss of the results and create the appropriate issues if there is a need to. EDIT: I did not tried to see if there are issues related to what you already listed.
\r
and \n
are not well-handled (giving a 500) but no CRLF injection is possible.Pillow
version, vulnerable to several DoS exploits (no RCE). The extension check is not enough to mitigate vulnerabilities like CVE-2016-0740, since we can pass a TIFF file but advertise it as Content-Type: image/jpeg
. I'd advise to at least upgrade this library to the last version.Internal server error, program! Traceback (most recent call last): File "/app/.heroku/python/lib/python2.7/site-packages/algorithm.py", line 288, in run new_state = function(**deps.as_kwargs) File "/app/.heroku/python/lib/python2.7/site-packages/aspen/algorithms/website.py", line 113, in get_response_for_resource return {'response': resource.respond(state)} File "/app/.heroku/python/lib/python2.7/site-packages/aspen/resources/simplate.py", line 53, in respond exec(self.pages[1], spt_context) # mutating it File "/app/www/v1.spt", line 22, in <module> image = Image.open(fp) File "/app/.heroku/python/lib/python2.7/site-packages/PIL/Image.py", line 2330, in open % (filename if filename else fp)) IOError: cannot identify image file <cStringIO.StringI object at 0x7f7924680cf0>
Just saw that gittip.org have still a TXT record "ALIAS for gittip.herokuapp.com"
. Since this application name does not exists anymore, I think we should remove this entry too so it can't be hijacked.
Uh, in fact, there is even a wildcard, routing all the requests to subdomains to gittip.herokuapp.com. The behaviour of gittip.org is the right one, redirecting to gratipay.com. We need to address this.
Obvious +1 for @whit537's "I want better tooling (an Inside Gratipay appendix) to at least visualize if not manage our DNS."
. I'll do it on the paper first (what we currently have / what we should have instead) and let's discuss of it.
I don't think we should tackle this until we reach Security 0, otherwise we just invite more traffic, and we are barely managing what we already have.
But we should first configure SPF and whatever else to avoid tons of noise.