[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #30419 [Internal Services/Tor Sysadmin Team]: Apache's server-status page accessible via TPO onion services
#30419: Apache's server-status page accessible via TPO onion services
-------------------------------------------------+-------------------------
Reporter: Parckwart | Owner: anarcat
Type: defect | Status: closed
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution: fixed
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by anarcat):
== Context
As documented in the
[https://metrics.torproject.org/collector.html#webstats metrics pages],
Tor webservers do not keep logs of visitors. The webserver (Apache) itself
keeps those IP addresses in memory during the lifetime of the connection.
This information can be disclosed on a /server-status page that is usually
visible only to inside monitoring systems. A configuration error was
introduced on March 19th 2019 which allowed onion services to access that
page which could be used to access that information. This issue was
reported in the Trac bugtracker (issue #30419) on May 6th 2019 and was
fixed within the hour.
== Mitigation
The server-status page was checked and the issue was confirmed. A check in
the git history found the bug and resolved it, and an audit was performed
to see if the issue was correctly resolved. Analysis of the logs suggests
there wasn't a significant increase in requests to /server-status.
Patch that introduced the bug:
{{{
commit 8ba7d37b9b2e2431e201752a1eb69a9bcce483e1
Date: Tue Mar 19 16:50:44 2019 -0400
port server-status configuration to Apache 2.4
I verified that all hosts run at least Apache 2.4.10-10+deb8u13,
shipped with Debian jessie.
This is necessary for the apache collector to work.
diff --git a/modules/apache2/files/common/etc/apache2/conf.d/server-status
b/modules/apache2/files/common/etc/apache2/conf.d/server-status
index 1a44e9b9..9362bcc2 100644
--- a/modules/apache2/files/common/etc/apache2/conf.d/server-status
+++ b/modules/apache2/files/common/etc/apache2/conf.d/server-status
@@ -11,8 +11,6 @@
ExtendedStatus on
<Location /server-status>
SetHandler server-status
- Order deny,allow
- Deny from all
- Allow from 127.0.0.1
+ Require local
</Location>
</IfModule>
}}}
Patch that fixed it:
{{{
commit 19d5a30ca88fba4aa57d2574774c72d344114b1a
Date: Mon May 6 19:47:36 2019 -0400
hide server-status from tor hidden services
This is a hotfix for bug #30419 which correctly identified that the
server-status pages are accessible when the webserver is accessed
through the hidden service. It's unclear to me why "local" isn't
equivalent to "127.0.0.1" but this fixes the problem on
troodi/trac/ea5faa5po25cf7fb.onion so I'm satisfied.
This was a regression introduced since march 19th, in commit
8ba7d37b9b2e2431e201752a1eb69a9bcce483e1.
diff --git a/modules/apache2/files/common/etc/apache2/conf.d/server-status
b/modules/apache2/files/common/etc/apache2/conf.d/server-status
index 9362bcc2..0da33673 100644
--- a/modules/apache2/files/common/etc/apache2/conf.d/server-status
+++ b/modules/apache2/files/common/etc/apache2/conf.d/server-status
@@ -11,6 +11,6 @@
ExtendedStatus on
<Location /server-status>
SetHandler server-status
- Require local
+ Require ip 127.0.0.1
</Location>
</IfModule>
}}}
== Timeline
All times in UTC starting on 2019-05-07:
* 22:56:49 bug #30419 opened
* 23:36:04 noticed by anarcat
* 23:38:00 source of the problem identified
* 23:47:36 patch implemented
* 23:50:46 patch pushed to puppet
* 23:50:57 issue claimed by anarcat
* 00:00:00 (approximate) fix deployed everywhere, checks started
* 00:38:30 all .onion sites from onion.tpo and ticket audited
* 00:49:00 this report started
* 01:14:00 audit of the webserver logs completed
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30419#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs