2FAuth icon indicating copy to clipboard operation
2FAuth copied to clipboard

Published 20 hours ago verified publisher icon Bubka

Disable viewing /about if not admin

Open theDepart3d opened this issue 1 year ago • 1 comments

Is your feature request related to a problem? Please describe. Yes, it is a security risk having the about view displaying all the app information on a production server

Describe the solution you'd like The /about view should only be visible by admins and when the app is in debug mode.

theDepart3d avatar Feb 17 '24 20:02 theDepart3d

Currently the /about view is visible to authenticated users only. The view contains two information blocks, Environment and User preferences. When authenticated with an admin account, an additional block is visible, Admin settings. I don't think this is a security risk as long as those information are only visible to authenticated user.

Bubka avatar Feb 17 '24 20:02 Bubka

also Environment is better that is reserved to admins: it allows discovering data about runtime (bug) to standard users (that do not need this kind of information)

Trapulo avatar Feb 20 '24 16:02 Trapulo

Currently the /about view is visible to authenticated users only. The view contains two information blocks, Environment and User preferences. When authenticated with an admin account, an additional block is visible, Admin settings. I don't think this is a security risk as long as those information are only visible to authenticated user.

It might not be a security risk right now but it could be in the future, removing the environment variables would keep servers backend information away from the public if the instance is reachable via WAN.

For Example:

Date: Wed, 21 Feb 2024 08:30:17 
userAgent: -----------
Version: 5.0.3
Environment: production
Install path: /
Debug: false
Cache driver: file
Log channel: daily
Log level:
DB driver: sqlite
PHP version: 8.2.0
Operating system: Linux
interface: apache2handler
Auth guard: web-guard
webauthn user verification: preferred
Trusted proxies: none

If was an attacker. This is what he would now know about my system.

He knows:

  1. The server's exact time
  2. The 2FAuth version
  3. The Environment is set to production
  4. Where the install path is (/ = root)
  5. The system has disabled debug mode.
  6. How the app is handling cache and logging
  7. What database i am using.
  8. What php version is running on the server, the operating system and the apache2/nginx handler
  9. He know knows what auth guard im using
  10. he knows webauthn is preffered
  11. All my trusted proxies

Knowing all that information can lead to a security risk as there are multiple points of failure:

  • OS
  • db type
  • app version
  • php version and interface
  • trusted proxies

Something like this would be perfect. leaving out all the backend information on the /about page clean

theDepart3d avatar Feb 21 '24 10:02 theDepart3d

The purpose of those blocks is to easy debugging information collect, so I don't want to totally remove them. As 2FAuth is now multi-user, I agree they could be restricted to administrators. I think I will move the Environment block, as well as the Admin block, to the new admin section I'm working on. I already made the User preferences block visible in this admin section so the About page could be cleared as you suggest indeed.

Bubka avatar Feb 21 '24 14:02 Bubka