Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sensitive Information Can Be Revealed From Tor Hidden Services On Apache (dailydot.com)

Posted by timothy on from the peeking-around-a-bit dept.

Patrick O'Neill writes: A common configuration mistake in Apache, the most popular Web server software in the world, can allow anyone to look behind the curtains on a hidden server to see everything from total traffic to active HTTP requests. When an hidden service reveals the HTTP requests, it's revealing every file—a Web page, picture, movie, .zip, anything at all—that's fetched by the server. Tor's developers were aware of the issue as early as last year but decided against sending out an advisory. The problem is common enough that even Tor's own developers have made the exact same mistake. Until October 2015, the machine that welcomed new users to the Tor network and checked if they were running up-to-date software allowed anyone to look at total traffic and watch all the requests.

6 of 37 comments (clear)

  1. Server Misconfiguration is news? by Athanasius · · Score: 2

    This is simply server misconfiguration. I can't comment on other distributions but Debian at least restricts /server-status URL access to localhost by default. You'd have to explicitly change this to allow from anywhere else.

  2. Summaries for Nerds by bill_mcgonigle · · Score: 5, Informative

    disable or restrict access to mod_status if you run a tor hidden service on Apache because mod_status is often enabled by default and serves to localhost; tor connects from localhost. mod_status shows some details of current requests which could leak info on other users.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  3. You hit the nail on the head! by burni2 · · Score: 2

    Literally, because exactly this is the problem here,

    As a person visiting a web-site your communication with the webserver is actually comming from the localhost, leaving no way to distinguish for the webserver between a sysadmin and a normal visitor.

  4. Re:If you take 3 different steps to conf it public by Sun · · Score: 2, Insightful

    I think that a hidden service sees incoming traffic as originating from itself, as that's where the TOR node is that unwraps this traffic.

    On my server, it was turned on despite me not turning it on (but, of course, not open to the outside). I don't know why, BTW.

    Shachar

  5. Localhost by SlayerofGods · · Score: 3, Insightful

    I always thought it seemed kind of foolish to run the web service and the tor node on the same system. Seems like it would be better to run the tor node on its own system and act as a gateway for the web server (with all appropriate firewall rules to prevent server from talking to anyone besides tor node) This would not only prevent this kind of attack where local host traffic is semi trusted. But perhaps more significantly it would prevent the webserver from ever leaking it's public address as it can't know what it is. My 2 cents

    --

    Technology, the cause of and solution to all of life's problems.
  6. Re:If you take 3 different steps to conf it public by dissy · · Score: 4, Informative

    First, the server admin would have to enable mod_status.
    Then, by default it's visible only from the server itself - the physical console or an ssh connection.
    Than to see the request urls, you have to turn ExtendedStatus on as well.

    It's easy to miss one of these steps when you're TRYING to turn it on. If you're offering a hidden service, it seeme rather unlikely you'd work so hard to gather and publish extended status.

    I just spun up a brand new Debian 8.2 VM instance, apt-get upgraded it to current, and apt-get installed apache2 - everything current as of 10ish minutes ago.

    root@dev10:~# ls -l /etc/apache2/mods-enabled/status*
    lrwxrwxrwx 1 root root 29 Jan 30 21:58 /etc/apache2/mods-enabled/status.conf -> ../mods-available/status.conf
    lrwxrwxrwx 1 root root 29 Jan 30 21:58 /etc/apache2/mods-enabled/status.load -> ../mods-available/status.load

    root@dev10:~# grep -i extended /etc/apache2/mods-enabled/status.conf
                    # Keep track of extended status information for each request
                    ExtendedStatus On

    root@dev10:~# grep -i location -A 2 /etc/apache2/mods-enabled/status.conf
                    <Location /server-status>
                                    SetHandler server-status
                                    Require local

    Both mod_status and the extended status mode are enabled by default.

    Yes they are restricted to localhost only, however if one ran apache and a tor proxy on the same machine, the tor proxy would be connecting to apache over localhost and so would be allowed.

    Being a debian config I would assume many debian based systems may very well have this same default config.

    Looking at the first example screenshot in the article, it explicitly shows it to be apache 2.2.16 running on a debian system. That means the server came setup that way and the owner didn't disable it.

    I can't speak for other distros or what the defaults are when apache is compiled from original sources and what not.
    But I would certainly recommend at least looking through your 'mods-enabled' dir Just In Case (tm)