Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Friday October 21 2016, @09:43AM   Printer-friendly
from the doh! dept.

... I present the case of Mr. [redacted] a European application developer who has taken it upon himself to sell drugs on the side.

... for what ever reason, he hosts the site for his newly founded application development business on the same server as his drug business.

This means the server-status leak not only exposes the location of the server hosting the drug advertisement. It also points directly to the identity of the man behind it all.

Now that might seem obvious, but do you know why it is dangerous?

Server status pages are generated by the Apache web server's mod_status module to help people understand how their sites are performing. Leaks occur when the pages are inadvertently made available to the rest of us. On an ordinary website, a server-status page will expose any private data that's contained in the URLs that its users are visiting, bypassing the protection of HTTPS. On rare occasions, that private data can even include users' session IDs and passwords.

On Dark Web sites things get far more serious. If you run a Dark Web site and a regular website on the same server, as "Mr. [redacted]" and many others do, then both addresses will appear in that server's server-status page, like this image.

Thanks to a quirk in the Apache server configuration, leaky server-status pages are actually much more common on Dark Web sites than they are on regular sites. By default, Apache server-status pages are kept away from prying eyes and are only visible to users on the localhost machine – the machine the server is actually running on. Exposing a server-status page on the regular web therefore takes some effort – you actually have to get into the configuration and screw it up. On the Dark Web the opposite is true – your server-status page is exposed unless you get into the configuration and fix it. That's because the Tor daemon (the software that makes your website 'Dark'), runs on localhost so your website receives all of its traffic as if it's coming from localhost, affording everyone the privilege of being able to view your server-status page.

The article finishes with some sound advice: "If you're running a .onion site and you and your users are expecting to be anonymous then you probably owe it to everyone to read the manual".

https://nakedsecurity.sophos.com/2016/10/18/simple-mistake-exposes-businessmans-secret-dark-web-drug-store/
https://web.archive.org/web/20161019200609/https://nakedsecurity.sophos.com/2016/10/18/simple-mistake-exposes-businessmans-secret-dark-web-drug-store/
https://archive.is/chRaa

[1] https://twitter.com/SarahJamieLewis
[2] https://github.com/s-rah/onionscan


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: -1, Flamebait) by Anonymous Coward on Friday October 21 2016, @09:57AM

    by Anonymous Coward on Friday October 21 2016, @09:57AM (#417175)

    PHP contains a built-in web server inside itself. You can run a whole fucking site with it. And by fucking site, I mean flaming gay porn.

    Between thttpd for static content servers and bashttpd for dynamic content servers, it's been years since I've even thought about considering using Apache. Fuck it.

    • (Score: 4, Insightful) by Marand on Friday October 21 2016, @11:15AM

      by Marand (1081) on Friday October 21 2016, @11:15AM (#417190) Journal

      Between thttpd for static content servers and bashttpd for dynamic content servers, it's been years since I've even thought about considering using Apache. Fuck it.

      I switched to using lighttpd years ago for similar reasons. Smaller, faster, nicer to configure, and fewer traps just waiting for you to spring them. I occasionally miss not being able to do .htaccess magic, but overall I'd say the tradeoff is worth it.

      Plus none of that mod_php bullshit. That alone is worth it.

      • (Score: 4, Interesting) by Anonymous Coward on Friday October 21 2016, @12:41PM

        by Anonymous Coward on Friday October 21 2016, @12:41PM (#417210)

        Lighttpd was way too unstable on a high load website (though that was several years ago), so we switched to Nginx. Never looked back.

        • (Score: 2) by Marand on Friday October 21 2016, @02:09PM

          by Marand (1081) on Friday October 21 2016, @02:09PM (#417249) Journal

          I use it for low-load stuff so I wouldn't know, to be honest. It's supposed to be good at handling loads of simultaneous connections, but I was more interested in the memory footprint, general performance, and convenience of use.

          I used to have a VPS with really tight memory constraints (64MB total, this was years ago) and got tired of Apache being a pig, using much of it even when idle, so I started looking for alternatives. lighttpd seemed promising and I liked the configuration style, so I gave it a go and haven't switched since.

          The memory use may have gotten me using it, but the configuration is what hooked me. It's a dumb thing but one of the things I like is that you can use include_shell to call a script that generates more lighttpd configuration. Like for example, you can include "filename" for a file, but I wanted to be able to include an entire directory in one shot, similar to what I had in Apache. So, I made a tiny script, like so:

          #!/bin/sh
          for FILE in $1/*
              do echo include \"$FILE\"
          done

          Then, in the lighttpd config, I use include_shell "./include_dir.sh ./sites-enabled/" and when lighttpd starts, it runs the script and populates itself with a bunch of single-file includes. Thanks to that, I can keep multiple sites' configurations organised without cluttering up the main file.

          It's a trivial example that I choose because it fits cleanly in an SN comment, but the point is you can do anything, including much more complicated configuration generation. That's the point, and what I like about lighttpd's configuration: it's extremely simple because you're allowed (and encouraged) to generate the configuration, metaprogramming-style, with any language you know and like instead of complicating lighttpd's parsing and forcing you to learn yet another language.

  • (Score: -1, Flamebait) by Anonymous Coward on Friday October 21 2016, @10:19AM

    by Anonymous Coward on Friday October 21 2016, @10:19AM (#417180)

    Does this definitely female person use GitHub social networking to put her profile photo of her face in your face and make sure you know she's a vegan lesbian?? YES SHE DOES.

    Sigh. Remember when coding was about the code? Remember when coders didn't want to emphasize their physical attributes because coders were fat and ugly and antisocial? Social media ruins everything.

    • (Score: 1, Funny) by Anonymous Coward on Friday October 21 2016, @10:42AM

      by Anonymous Coward on Friday October 21 2016, @10:42AM (#417185)

      I member.

    • (Score: 0) by Anonymous Coward on Friday October 21 2016, @10:49AM

      by Anonymous Coward on Friday October 21 2016, @10:49AM (#417186)

      Remember when [...] coders were fat and ugly

      Yes I remember Alan Cox [wikimedia.org].

      • (Score: 1) by DannyB on Friday October 21 2016, @01:37PM

        by DannyB (5839) Subscriber Badge on Friday October 21 2016, @01:37PM (#417228) Journal

        You mean they're not any more?

        --
        People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 2) by Marand on Friday October 21 2016, @11:10AM

      by Marand (1081) on Friday October 21 2016, @11:10AM (#417189) Journal

      Blame github, they're the ones pushing the "social coding" thing. Most people just want to host their damn code or report some bugs, but github wants to stand out by pushing this as a "social experience" and become the facebook of open source projects.

      Whatever, though. If someone wants to do that shit, good for them. They can do what they want as long as they don't start giving me shit for not buying into it too.

    • (Score: 1) by kurenai.tsubasa on Friday October 21 2016, @01:05PM

      by kurenai.tsubasa (5227) on Friday October 21 2016, @01:05PM (#417218) Journal

      *TRIGGERED!*

  • (Score: -1, Offtopic) by Anonymous Coward on Friday October 21 2016, @12:39PM

    by Anonymous Coward on Friday October 21 2016, @12:39PM (#417208)

    Read the Apache documentation? Why would I care about the Apache documentation?

    Over the last ten years, I've been running: IIS, thttpd, Lighttpd, and Nginx, plus Varnish and Pound (cache and load balancing web servers).

    Currently I'm on Nginx (personal server) and IIS (at work). I stay far far away from Apache.

  • (Score: -1, Troll) by Anonymous Coward on Friday October 21 2016, @03:09PM

    by Anonymous Coward on Friday October 21 2016, @03:09PM (#417276)

    You mean people don't do this?

    <Location "/show-me-your-fucking-status">
            SetHandler server-status
            Require ip 127.0.0.1
            Require ip YOUR_IP_HERE
    </Location>

    If you're too dumb to breed (or breathe), you shouldn't be allowed to touch expensive kit...

    • (Score: 3, Touché) by Anonymous Coward on Friday October 21 2016, @08:46PM

      by Anonymous Coward on Friday October 21 2016, @08:46PM (#417413)

      They do, AND THAT'S THE PROBLEM.

      All the .onion traffic comes from localhost, so allow 127.0.0.1 lets all them in.

  • (Score: 2, Informative) by fraxinus-tree on Friday October 21 2016, @03:18PM

    by fraxinus-tree (5590) on Friday October 21 2016, @03:18PM (#417280)

    To be ignorant hurts even more when you try to do complex things.

  • (Score: 0) by Anonymous Coward on Friday October 21 2016, @03:43PM

    by Anonymous Coward on Friday October 21 2016, @03:43PM (#417289)

    tor is still a thing? how gauche.

    • (Score: 0) by Anonymous Coward on Friday October 21 2016, @05:52PM

      by Anonymous Coward on Friday October 21 2016, @05:52PM (#417339)

      Matthew Prince, is that you?

  • (Score: 3, Interesting) by Techwolf on Saturday October 22 2016, @03:36AM

    by Techwolf (87) on Saturday October 22 2016, @03:36AM (#417513)

    Too many bug that can leak real addresses. I would configure the real server on a private net, 192.168.0.1, and route all traffic through a external router.