Note re-creation vulnerability #57
Comments
This adds a server secret and uses it to sign the generated url with a timestamp to prevent client-side tampering. fixes atoponce#57
|
I updated my installation but am now getting a 500 error. The error.log file says: |
|
Was there a traceback?
It could be that I have different versions of libraries.
Also, there are two new config options that need to be added to dnote.py:
server_secret - long, random string without special characters
signature_validity - integer, default 300 seconds
…On Wed, Jan 22, 2020, 02:17 DFF-fred ***@***.***> wrote:
I updated my installation but am now getting a 500 error. The error.log
file says:
UndefinedError: 'note' is undefined
Where should I define it, and how?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#57?email_source=notifications&email_token=AAH76TT2PB35DUN7KKYI5GDQ7AFL7A5CNFSM4KJ4I3I2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJSZ5SQ#issuecomment-577085130>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAH76TRQR2HP6DMORYSKQA3Q7AFL7ANCNFSM4KJ4I3IQ>
.
|
|
Yes there is a traceback. Here it is: Also I didn't find any dnote.py. Are you referring to d-note.ini or note.py? Thank you. |
|
It looks like dnote/__init__.py did not get updated on your installation.
`dnote.py` should be in either /etc/dnote or ~/.dnote/ .
…--
Eldon
On Thu, Jan 23, 2020, 02:56 DFF-fred ***@***.***> wrote:
Yes there is a traceback. Here it is:
[2020-01-22 09:14:03,309] ERROR in app: Exception on / [GET] Traceback
(most recent call last): File
"/usr/lib/python2.7/dist-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request() File
"/usr/lib/python2.7/dist-packages/flask/app.py", line 1614, in
full_dispatch_request rv = self.handle_user_exception(e) File
"/usr/lib/python2.7/dist-packages/flask/app.py", line 1517, in
handle_user_exception reraise(exc_type, exc_value, tb) File
"/usr/lib/python2.7/dist-packages/flask/app.py", line 1612, in
full_dispatch_request rv = self.dispatch_request() File
"/usr/lib/python2.7/dist-packages/flask/app.py", line 1598, in
dispatch_request return self.view_functions[rule.endpoint](**req.view_args)
File
"/usr/local/lib/python2.7/dist-packages/dnote-1.0.1-py2.7.egg/dnote/__init__.py",
line 15, in index return render_template('index.html', random=note.url,
error=error) File "/usr/lib/python2.7/dist-packages/flask/templating.py",
line 134, in render_template context, ctx.app) File
"/usr/lib/python2.7/dist-packages/flask/templating.py", line 116, in
_render rv = template.render(context) File
"/usr/lib/python2.7/dist-packages/jinja2/environment.py", line 1008, in
render return self.environment.handle_exception(exc_info, True) File
"/usr/lib/python2.7/dist-packages/jinja2/environment.py", line 780, in
handle_exception reraise(exc_type, exc_value, tb) File
"/usr/local/lib/python2.7/dist-packages/dnote-1.0.1-py2.7.egg/dnote/templates/index.html",
line 1, in top-level template code {% extends "base.html" %} File
"/usr/local/lib/python2.7/dist-packages/dnote-1.0.1-py2.7.egg/dnote/templates/base.html",
line 73, in top-level template code {% block content %}{% endblock %} File
"/usr/local/lib/python2.7/dist-packages/dnote-1.0.1-py2.7.egg/dnote/templates/index.html",
line 27, in block "content" <input name="new_url" type="hidden" value="{{
note.url }}" /> File
"/usr/lib/python2.7/dist-packages/jinja2/environment.py", line 430, in
getattr return getattr(obj, attribute) UndefinedError: 'note' is undefined
Also I didn't find any dnote.py. Are you referring to d-note.ini or
note.py?
Thank you.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#57?email_source=notifications&email_token=AAH76TU3VOJZBZD4LVYPN3TQ7FSVVA5CNFSM4KJ4I3I2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJWZXHA#issuecomment-577608604>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAH76TR4M76L4G2MQ7XWEDTQ7FSVVANCNFSM4KJ4I3IQ>
.
|
|
Indeed I had 2 files out of 4 not updated. For some reasons Github is showing me the old version of the files, but the page with the changes is ok. Anyway I now think I did the changes right and the app is showing. Unfortunately when I click on Submit I get this: |
|
Sorry, it is dconfig.py .
This has not been merged yet, so can you try cloning my branch like this?
git clone --single-branch --branch verify_new_url
https://github.com/ekoyle/d-note.git
…On Thu, Jan 23, 2020, 20:51 DFF-fred ***@***.***> wrote:
Indeed I had 2 files out of 4 not updated. For some reasons Github is
showing me the old version of the files, but the page with the changes is
ok. Anyway I now think I did the changes right and the app is showing.
Unfortunately when I click on Submit I get this:
"Your request appears to have been tampered with. Please try again.
error: could not convert string to float: None"
And I didn't find any dnote.py. Are you referring to the 2 extra lines in
generate_dnote_hashes? Then it reads from d-note.ini and generates a
dconfig.py and I can see those 2 extra variables in it.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#57?email_source=notifications&email_token=AAH76TUQICV5TMAQ5MIIJGTQ7JQVBA5CNFSM4KJ4I3I2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJZUTMI#issuecomment-577980849>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAH76TV2Y2HVCEGHJKQWGK3Q7JQVBANCNFSM4KJ4I3IQ>
.
|
|
oh.. well I think I verified the 5 files and they are similar now. I'll try to do that and revert to you, but might not happen right away as I need to go out right now. I'll let you know then. |
|
So yes your branch works. I need to figure out what's not working in my version... Thank you very much for your help. |
|
@santiago-usu recommended just removing that variable from the, but I thought it was used by the hashcash validation. Upon further inspection, that does not appear to be the case. Maybe it would be better to wait until after the post to generate the private_id/new_url? Also, I kind of question the usefulness of the hashcash operation as it is implemented... the server isn't validating the browser fingerprint (not sure if this is possible), the date, or any other part of it besides ensuring the hash of it starts with '0000' -- the only restriction is that the token has not been used before. It would be trivial to find a long list of valid hashcash tokens. |
|
Hi! Note sure what is happening but the application suddenly stopped working. I reinstalled (a few times) and it seems the main repository is still at the old version? I also did an install from your as instructed above and am getting the same problem:
Looking into dnote/data I do not see any file create or hashcash.db as mentioned in the troubleshooting section and I set the data dir as 777 ps: I am having the same issue at https://ae7.st/d/ |
|
Hi! Well thank you for the feedback. I've struggled a bit and finally found another maintained project doing the same called PrivateBin on github as well. Seems to be running fine so far. Thanks again for your help. |
The web UI will allow a client-generated
private idto be used (by altering the value of the hiddennew_urlinput), which allows a malicious user to view and/or modify a note without detection.After viewing the note, the malicious user only needs to re-create it using the same
private idand (optional) passphrase. The note could be identical or modified, and there is no way for the intended recipient to detect this. A note can also be overwritten without being viewed first if theprivate idis known.I recommend using a server-side secret to validate that the
private idwas generated on the server and not by a malicious user. It would also be a good idea to include a timestamp to validate theprivate idwas generated recently.The text was updated successfully, but these errors were encountered: