search

tridentli / trident

Trident is a trusted and secure communication platform for enabling better communication between groups of trusted parties
https://trident.li
Apache License 2.0
20 stars 9 forks source link

[Portal: CLI] PGP Secret Key Disclosure Risk #142

Open teward opened 6 years ago

teward commented 6 years ago

During a penetration test of the Trident software as part of a penetration test conducted by Black Hills Info Sec, an Information Disclosure issue was discovered.

This requires a low-privilege user to be used, and the CLI interface via the portal to be enabled.

It was discovered that the portal /cli/ page, when enabled and given a command such as ml seckey testgroup admin as a non-administrator user disclosed the PGP Secret Key for the given mailing list.

This function is not exposed for non sysadmins in the tcli command line program, and is only exposed through the portal.

@bapril was notified about this issues over email shortly after the issues were discovered. It was decided that a public issue ticket for this issue should be made over the past weekend.

The Portal CLI page should probably disallow non-sysadmins from accessing this information.

rgrmule commented 6 years ago

The following information does not solve this problem, in fact it exacerbates it, but if you have not already seen it... (if you have apologies)

https://thehackernews.com/2018/05/pgp-smime-email-encryption.html https://gizmodo.com/email-no-longer-a-secure-method-of-communication-after-1826002682