syncthing icon indicating copy to clipboard operation
syncthing copied to clipboard
verified publisher icon syncthing

v1.26.0-rc.1 exposes device information to unauthenticated users

Open GermanCoding opened this issue 2 years ago • 1 comments

PR #8757 introduced a new interactive login form, where previously only basic HTTP authentication was used. This has resulted in a behaviour change that exposes more information than before.

If you send an unauthenticated HTTP request to the syncthing web UI (e.g. http://localhost:8384), with authentication enabled, you get the following HTTP response back:

Before v1.26.0-rc.1

< HTTP/1.1 401 Unauthorized < Date: Thu, 12 Oct 2023 13:59:07 GMT < Content-Type: text/plain; charset=utf-8 < Content-Length: 15 < Connection: keep-alive < Www-Authenticate: Basic realm="Authorization Required" < X-Content-Type-Options: nosniff < X-Frame-Options: SAMEORIGIN < X-Xss-Protection: 1; mode=block

Not Authorized

Since v1.26.0-rc.1

< HTTP/1.1 200 OK < Date: Thu, 12 Oct 2023 14:00:03 GMT < Content-Type: text/html; charset=utf-8 < Content-Length: 78194 < Connection: keep-alive < Vary: Accept-Encoding < Cache-Control: no-cache, must-revalidate < Etag: "6527fbdd" < Last-Modified: Thu, 12 Oct 2023 13:59:57 GMT < Set-Cookie: CSRF-Token-... < X-Content-Type-Options: nosniff < X-Frame-Options: SAMEORIGIN < X-Syncthing-Id: [my device ID] < X-Syncthing-Version: v1.26.0-rc.1 < X-Xss-Protection: 1; mode=block < (some HTML login page)

In particular, the headers now expose the syncthing device ID and version. While none of the information is severly important, leaking the device ID to unauthenticated users isn't great. The device ID is an excellent identifier that can be used to track the IP addresses (and to some extent location) of any syncthing user via global discovery, and hence is a privacy risk. Leaking the syncthing version isn't terribly relevant, except for defense in depth techniques.

GermanCoding avatar Oct 12 '23 14:10 GermanCoding

For what it's worth, we've leaked this in the health endpoint since a few versions as well, but I agree we should not.

jb@ok:~ % curl -i http://localhost:8081/rest/noauth/health
HTTP/1.1 200 OK
Cache-Control: max-age=0, no-cache, no-store
Content-Type: application/json; charset=utf-8
Expires: Thu, 12 Oct 2023 14:21:37 GMT
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Syncthing-Id: I6KAH76-66SLLLB-5PFXSOA-UFJCDZC-YAOMLEK-CP2GB32-BV5RQST-3PSROAU
X-Syncthing-Version: v1.25.0
X-Xss-Protection: 1; mode=block
Date: Thu, 12 Oct 2023 14:21:37 GMT
Content-Length: 21

{
  "status": "OK"
}

calmh avatar Oct 12 '23 14:10 calmh