Cure53 Report - 2langnic/GlobaLeaks GitHub Wiki
GlobaLeaks has received a first web penetration test audit conducted by Cure53 during the preliminary Alpha Release. The audit has been done in Q1 2013 and was sponsored by the Open Technology Fund (RFA). The penetration test yielded an overall of 17 issues of which the impact has been rated 1 as critical, 7 as medium and 9 low
The complete report is available at: https://cure53.de/pentest-report_globaleaks.pdf
All of the security issues identified has been properly fixed, discussing with Cure53 the approach being used to solve the problems.
In the following we list all issues with their status and reference to GitHub commits if available.
Fixed issues
- GL 01-001 Receiver Login allows password - less authentication ( Critical )
- GL 01-002 XSS via sniffing and JSON injection in authentication page ( Medium )
- GL 01-003 Unsafe File - Downloads in Receiver - Area causing Local XSS ( Medium )
- GL 01-004 Possible information leakage through Browser / Proxy Cache ( Medium )
- GL 01-014 Lack of protection against brute - forcing admin role password ( Medium )
- GL 01-005 Log - File contains un - encoded HTML characters ( Low )
- GL 01-007 Crafted File - Uploads allow Content - Type Spoofing ( Low )
- GL 01-008 X - Frame - Options header not present ( Low )
- GL 01-009 Login / File upload sections do not have CSRF tokens ( Low )
- GL 01-011 Admin - Uploads functional despite content filter / validation ( Low )
- GL 01-012 Default admin credentials and search engine indexing ( Medium )
- GL 01-013 Potential Arbitrary File writes on non - default configuration ( Low )
- GL 01-015 Application log file contains administrator password ( Low )
- GL 01-016 Weak filesystem permissions enable local attacks ( Medium )
Open issues
- GL 01-010 Admin role does not have a username ( Low )
- GL 01-017 Readable hard - coded credentials might compromise users ( Low )
- GL 01-006 Whistleblower uploads allow flooding the server hard - disk ( Medium )
The GlobaLeaks team would like to thank Cure53 for the audit and Open Technology Fund for sponsoring this event.