[Globaleaks-talk] GlobaLeaks directory traversal vulnerability has been discovered and fixed

Yvette Agostini yvette.agostini at gmail.com
Sun Feb 22 20:11:18 CET 2015 

ho postato l'advisory pure sulla pagina fb di globaleaks

Bravo Giovanni (as usual)

Il giorno 22/feb/2015, alle ore 18:21, Giovanni Pellerano <giovanni.pellerano at evilaliv3.org> ha scritto:

> Security Advisory - 22 February 2015 18:00 CET
> 
> GlobaLeaks directory traversal vulnerability has been discovered and fixed
> 
> GlobaLeaks software, starting from recent version 2.60.54 released 28
> January 2015 during an intensive session of customization for new
> whistleblowing projects, introduced a directory traversal vulnerability.
> 
> On 16 February 2015, with release of version 2.60.62 the issue has been
> fixed.
> 
> We invite anyone that installed or upgraded GlobaLeaks software between
> 28 January and 16 February, whose initiative is not publicly indexed on
> Wikipedia, to upgrade!
> 
> Vulnerable versions
> The GlobaLeaks versions reported to be vulnerable:
> 2.60.61 - 2015-02-12
> 2.60.60 - 2015-02-10
> 2.60.59 - 2015-02-10
> 2.60.58 - 2015-02-04
> 2.60.57 - 2015-02-03
> 2.60.56 - 2015-02-03
> 2.60.55 - 2015-01-29
> 2.60.54 - 2015-01-28
> 
> Exposure
> The vulnerability could potentially enabled downloading all files in
> /var/globaleaks/ directory, except for Tor Hidden Service key (due to
> permissions).
> 
> Out of the initiatives publicly using GlobaLeaks [1], only 4 out of 23
> were found to be vulnerable due to installation/upgrades done in the
> past few weeks.
> 
> We coordinated in few hours the release of the fix and the upgrades with
> the adopters and the infrastructure partners that are now safe from this
> vulnerability.
> 
> An analysis of the log files of /var/globaleaks/log/globaleaks* with
> that 4 users revealed no disclosure of sensitive information, like the
> configuration database of the GlobaLeaks node.
> 
> To check for exploitation of this vulnerability the right command is:
> grep '///&#47' /var/globaleaks/log/*.log*
> 
> The vulnerability has been introduced with commit
> 4d59f7cc23256abf0e26755b0005044813e9c225 [2] fixing the issue #1110 [3].
> The vulnerability has been fixed in commit
> 495c8e33a98e29a4bbe471f98d240ee9e077c738 [4].
> 
> It shall be further noted that, if globaleaks were deployed on a system
> without AppArmor properly activated/installed, the vulnerability would
> enable the download of all files of the system that are world-wide
> readable, because of a collateral bug that did not prevent globaleaks
> from starting if AppArmor was not available (but enabled, as it is by
> default).
> Release 2.60.62 fix this issue also; now GlobaLeaks won't start if the
> AppArmor check fails.
> 
> It should be noted that since all submitted documents are encrypted
> using openPGP this content was never exposed or endangered due to this bug.
> 
> Acknowledgements
> We want to thanks a hacker (that prefers to remain un-named), supporter
> of opensource and anonymity software, that spotted the security bug and
> responsibly reported to us, allowing an ordered handling of the issue.
> 
> Apologizes
> As GlobaLeaks team we apologize for the inconvenience and for the
> pressure we’ve put on the adopters to upgrade so quickly and to assess
> if any real information exposure happened.
> 
> This vulnerability has been introduced by mistake by working/supporting
> the customizations and improvements of new whistleblowing projects that
> are now starting on a monthly basis, bringing a lot of pressure.
> 
> We’re better organizing our procedures, getting out from
> over-working/under-pressure, with proper code-review and release
> management for any new public release.
> 
> The many major improvement being done under 2014-2015 Roadmap will
> further improve the software with multi-process segregated architecture
> (postfix’s like) and client-side encryption.
> 
> Transparency
> We are committed to full transparency regarding our software development
> practices, including security vulnerabilities, publishing all
> Penetration Tests Results [5], inviting for new bugs to be spotted by
> hackers that work for the greater good with our Bug Bounty program [6].
> 
> [1] https://en.wikipedia.org/wiki/GlobaLeaks#Implementations
> [2]
> https://github.com/globaleaks/GlobaLeaks/commit/4d59f7cc23256abf0e26755b0005044813e9c225
> [3] https://github.com/globaleaks/GlobaLeaks/issues/1110
> [4]
> https://github.com/globaleaks/GlobaLeaks/commit/495c8e33a98e29a4bbe471f98d240ee9e077c738
> [5] https://github.com/globaleaks/GlobaLeaks/wiki/Penetration-Tests
> [6] https://www.globaleaks.org/bughunting/
> 
> HERMES Center for Transparency and Digital Human Rights
> http://logioshermes.org
> GlobaLeaks Project https://globaleaks.org
> Contact: info at globaleaks.org
> IRC: irc.oftc.net #globaleaks
> 
> _______________________________________________
> Globaleaks-talk mailing list
> Globaleaks-talk at lists.globaleaks.org
> http://lists.globaleaks.org/mailman/listinfo/globaleaks-talk

More information about the Globaleaks-talk mailing list