This repository has been archived by the owner on Oct 23, 2020. It is now read-only.
Default APAF hidden service serves /tmp #44
Labels
Comments
|
Maybe there's also a bug related to the persistance of the TorHS key, right? |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The default static web service bundled with APAF serves the contents of the system /tmp directory.
Instructions for reproducing: (on Fedora 17 with python-virtualenv)
(install virtualenv, virtualenvwrapper -- yum install python-virtualenv python-virtualenvwrapper)
mkvirtualenv VIRTUAL_ENVIRONMENT (will automatically activate this virtualenv)
(install dependencies and apaf)
cd /path/to/APAF; python apaf/main.py
look for the hidden service .onion address from the following lines:
(timestamp) [TorControlProtocol,client] panel service running at ONION_ADDRESS_1.onion
(timestamp) [TorControlProtocol,client] staticwebserver service running at ONION_ADDRESS_2.onion
navigate to http://SOME_OTHER_ONION.onion and observe the contents of /tmp
This could leak information about other services on the system.
Suggested fix: set the root of the web service to a new empty directory.
The text was updated successfully, but these errors were encountered: