[tor-bugs] #30419 [Internal Services/Tor Sysadmin Team]: Apache's server-status page accessible via TPO onion services
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue May 7 02:10:30 UTC 2019
#30419: Apache's server-status page accessible via TPO onion services
-------------------------------------------------+-------------------------
Reporter: Parckwart | Owner: anarcat
Type: defect | Status: closed
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution: fixed
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by arma):
Thanks Parckwart! Good find.
We believe anarcat fixed it -- if you find anyplace in Tor infrastructure
land that still has the issue, please reopen this ticket.
It looks like we added in the problem on March 19, during an apache config
file update for apache 2.4.
We've begun the process of trying to figure out if we can learn whether
people exploited this issue much in the past six weeks. Our webservers
don't really keep logs that help much here (which is a feature in other
circumstances: #20928) so it's not straightforward.
anarcat: this seems like the sort of security audit we should want to set
up an automated check for, so that it can squeal if some future
configuration ever starts revealing this content again. And while I'm
thinking of follow-up steps, take a look at
https://riseup.net/en/security/network-security/tor/onionservices-best-
practices#be-careful-of-localhost-bypasses
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30419#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list