Issue F. Tip Files Can Be Downloaded Without Authenticating #826
Comments
evilaliv3
changed the title
|
@defuse : https://github.com/globaleaks/GLBackend/commit/80697946f00db4db3e30fe7b174c48aa9952fbc2 with this commit we removed entirely the concept of the download token and we implemented simply a POST authentication. as you can see at line 501 of that commit, the post authentication works exactly as the HEADER based authentication already audited, but instead of handling X-Session header we handle x-session POST variable. can this ticket be considered closed? |
|
It looks like the code is checking that the one sending the POST request is logged in as a receiver, which is an improvement, but I don't see it check anywhere that they are the correct receiver. In other words, it looks like a receiver who is not supposed to have access to the tip can download the files as long as they know the file id. Is that the case, or did I overlook an authentication check somewhere? |
|
allright ok i'm going to add also this check :) |
|
@defuse: here you are now a strict auth validation is done so that the download for single files or file collection is granted only to the precise logged user and nor a whatever user logged and apart of the link. https://github.com/globaleaks/GLBackend/commit/f9c9b8b09fc14198c418f13d9959abe00cea5cc4 |
|
@evilaliv3 I think there is a problem with the From the POST request, the user provides the So there needs to be an additional check to make sure the |
|
yep, right comment. applied the fix suggested: |
Synopsis: GlobaLeaks does not check if the user is authenticated when downloading files. The files are
protected only with a string generated by uuid4(), which might be predictable (see Issue K: Secrets
Generated with Non-CSPRNG), or vulnerable to side-channel attacks (see Issue J: Attacker May Be Able To Extract Secrets Through Side-Channel Attacks).
Impact: An attacker can access the files associated with a Tip.
The text was updated successfully, but these errors were encountered: