An issue has been found in FreedomBox that allows anonymous and
unauthorized users to access private and potentially security relevant
information. The information is shown on an Apache Server Status page
and includes the IP address and URL request path for clients accessing
pages on the server.
By default, Apache only allows access to the Server Status page from
the local machine. However, due to how Tor onion service and Pagekite
are used on FreedomBox, they bypass this restriction and allow anyone
to access the page.
We are planning to fix this issue in the next release of
FreedomBox. However, our releases have been delayed at the
moment. Therefore, if you are using Tor onion service or Pagekite, we
strongly recommend that you disable the Server Status page.
You can disable the page by running the following two commands on your
FreedomBox, either using Cockpit or SSH:
$ sudo a2dismod status
$ sudo systemctl restart apache2
If you have any questions, feel free to ask at any of the following
locations:
- Forum: https://discuss.freedombox.org/
- IRC: irc.debian.org, channel #freedombox
- Matrix: #freedombox:matrix.org
- Mailing list: https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss