#30419: Apache's server-status page accessible via TPO onion services -------------------------------------------------+------------------------- Reporter: Parckwart | Owner: anarcat Type: defect | Status: closed Priority: Medium | Milestone: Component: Internal Services/Tor Sysadmin Team | Version: Severity: Normal | Resolution: fixed Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: -------------------------------------------------+-------------------------
Comment (by arma): Thanks Parckwart! Good find. We believe anarcat fixed it -- if you find anyplace in Tor infrastructure land that still has the issue, please reopen this ticket. It looks like we added in the problem on March 19, during an apache config file update for apache 2.4. We've begun the process of trying to figure out if we can learn whether people exploited this issue much in the past six weeks. Our webservers don't really keep logs that help much here (which is a feature in other circumstances: #20928) so it's not straightforward. anarcat: this seems like the sort of security audit we should want to set up an automated check for, so that it can squeal if some future configuration ever starts revealing this content again. And while I'm thinking of follow-up steps, take a look at https://riseup.net/en/security/network-security/tor/onionservices-best- practices#be-careful-of-localhost-bypasses -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30419#comment:3> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs