The application discloses whitelisted IP for Privileged User Access

[younusr]

Current behavior

The application discloses the IP addressed whitelisted in the "Restrict privileged logins to specific IP addresses"

When /public requested the JSON response contains the IP address whitelisted in ip_filter_authenticated. I have not seen the whitelisted IP address send back to the server and does not seem to be needed for any application functionality.

Additionally, perform input validation for the IP value when Restrict Privilege Access is enabled. Otherwise it leads to DOS as cannot log in.

Expected behavior

Whitelisted IP addresses should not be disclosed as the whitelisted IP can become a target. Attacker of the application can target privileged users (with the known IP) of the application to get access to the application.

Steps to reproduce the problem or feature illustration

1. Enable Restrict privileged logins to specific IP addresses
2. Include an IP address for Whitelisted IP Addresses
3. Request /public and inspect JSON formatted response for the IP address. The IP will be set as value of ip_filter_authenticated.

What is the motivation or use case for changing the behavior?

Security Risk

GlobaLeaks version:

Version 3.5.5

Browser:

Firefox

Server Operating System and Version (if applicable):

Server Ubuntu 14.04

Client Operating System and Version (if applicable):

Client Windows 10

[evilaliv3]

Thank you @younusr this is a legit bug reporting.

We could easily remove this parameter an remove this information leak.

[evilaliv3]

Fixed! Thank you @younusr.

The patch will be included in the upcoming release 3.5.9