Comments (4)
Bubka
commented on June 3, 2024
3
The purpose of those blocks is to easy debugging information collect, so I don't want to totally remove them. As 2FAuth is now multi-user, I agree they could be restricted to administrators. I think I will move the Environment block, as well as the Admin block, to the new admin section I'm working on. I already made the User preferences block visible in this admin section so the About page could be cleared as you suggest indeed.
from 2fauth.
Bubka
commented on June 3, 2024
Currently the /about view is visible to authenticated users only. The view contains two information blocks, Environment and User preferences. When authenticated with an admin account, an additional block is visible, Admin settings. I don't think this is a security risk as long as those information are only visible to authenticated user.
from 2fauth.
Trapulo
commented on June 3, 2024
also Environment is better that is reserved to admins: it allows discovering data about runtime (bug) to standard users (that do not need this kind of information)
from 2fauth.
theDepart3d
commented on June 3, 2024
Currently the
/aboutview is visible to authenticated users only. The view contains two information blocks, Environment and User preferences. When authenticated with an admin account, an additional block is visible, Admin settings. I don't think this is a security risk as long as those information are only visible to authenticated user.
It might not be a security risk right now but it could be in the future, removing the environment variables would keep servers backend information away from the public if the instance is reachable via WAN.
For Example:
Date: Wed, 21 Feb 2024 08:30:17
userAgent: -----------
Version: 5.0.3
Environment: production
Install path: /
Debug: false
Cache driver: file
Log channel: daily
Log level:
DB driver: sqlite
PHP version: 8.2.0
Operating system: Linux
interface: apache2handler
Auth guard: web-guard
webauthn user verification: preferred
Trusted proxies: none
If was an attacker. This is what he would now know about my system.
He knows:
- The server's exact time
- The 2FAuth version
- The Environment is set to production
- Where the install path is (/ = root)
- The system has disabled debug mode.
- How the app is handling cache and logging
- What database i am using.
- What php version is running on the server, the operating system and the apache2/nginx handler
- He know knows what auth guard im using
- he knows webauthn is preffered
- All my trusted proxies
Knowing all that information can lead to a security risk as there are multiple points of failure:
- OS
- db type
- app version
- php version and interface
- trusted proxies
Something like this would be perfect. leaving out all the backend information on the /about page
from 2fauth.
Related Issues (20)
- Secret Type Format
- Blank screen after update from 5.0.3 to 5.0.4 HOT 10
- "Check now" button is untranslatable HOT 1
- Add a route to clear cache from browser
- Add a "keep SSO registration enabled" setting HOT 1
- Cannot access database after upgrading v3 to v5 (self host to docker) --> No account found using this email. HOT 3
- app/Policies/OwnershipTrait contains a bug, i think HOT 9
- Add support for FreeOPT+ json exports HOT 1
- Can't decipher codes after updating to 5.1.0 HOT 17
- 5.1 SSO: Authentication via SSO rejected HOT 8
- Admin panel not working when using security device
- "Keep SSO registration enabled" is not saved
- Add pagination to /accounts page HOT 4
- Last admin can demote to user, leaving the instance administratorless
- Accounts visibility HOT 1
- Add ipv6 in nginx config
- web static assets visit path is localhost HOT 5
- Self Hosted Docker Compose Install - Blank Home Page HOT 10
- Migrate 2fauth to a new server HOT 2
- TypeError: a is null
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from 2fauth.