Public ipv6 address exploit concern

solskog · 2023-10-25 04:07:59

Some of the journal log in forum threads includes users public ipv6 address. These addresses could be collected by web crawler and are vulnerable for remote exploit. If that is possible for forum web server backend to filter out and mask these ip addresses before they became public available. Or at least warn user before he/she click on Submit to the forum or send to https://0x0.st ?

Last edited by solskog (2023-10-25 04:55:12)

seth · 2023-10-25 07:07:05

The specific logs I think you refer to are a bit of an exception (I think) - the user uses dhcpcd as NM backend and NM puts dhcpcd into debug mode (I've not seen this output in regular dhcpcd logs) and logs everything into the journal.

We can't tell everyone to scan their logs for private data all the time b/c many users don't really know what that is and will obfuscate insensitive data like hostnames or LAN/LL/ULA addresses and o/c each and every FS/disk/part UUID and rather harmless data like SSIDs and BSSIDs - iow. the journals will look like a disclosed government document, mostly consisting of black bars.

https://github.com/NetworkConfiguration … issues/256

solskog · 2023-10-26 03:49:00

Thanks for reporting this issue. It's allways best to solve the root cause of any issue. Since we don't known for how long it would take to resolve this issue form dhcpd side.
if that is possible to warn users to remove the public ipv6 adress from the journal before clicking on submit buttuon in the forum? A text label perhaps?
And to find out your own public ipv6 address is simple enough.

# ip add

We are not worried about other info in the journal, without public ip you would have to be in the same LAN or have physical acess to the system.

Last edited by solskog (2023-10-26 06:04:36)

seth · 2023-10-26 06:59:10

rsmarples is on this forum, so I'm kind aconfident that he'll address this one way or the other reasonably soon.

I also frequently ask users to upload it to a pastebin service where it somewhat spirals out of their control and it doesn't help anyone outside this context.

Public IPs don't need to be in that kind of journal (seeing that you got one and maybe the last bytes to locally identify it is entirely sufficient) and regardless of the state of FluxBB, I doubt we'll see PSAs "Remember to not expose yourself when posting"; the immediate problem is that this exposure is unexpected and stashed in a huge amount of data.

rsmarples · 2023-11-07 23:02:44

Yup, the default config dhcpcd-10.1.x will likely not emit any client side addresses or route changes by default.
dhcpcd-10.0.x will stay as is.

I will hopefully find time to achieve that during the holidays as it's a fairly substantive effort to go through the code base and ensure nothing escapes me AND the changes still give enough confidence to the user by default that things are working.
I only want to do this the once and want to get it right.

solskog · 2023-11-13 13:18:37

rsmarples wrote:

Yup, the default config dhcpcd-10.1.x will likely not emit any client side addresses or route changes by default.
dhcpcd-10.0.x will stay as is.

Thanks for the quick response! Meanwhile I will include a warning at the end of my credo.

Keep privacy away form journals

Arch Linux

#1 2023-10-25 04:07:59

Public ipv6 address exploit concern

#2 2023-10-25 07:07:05

Re: Public ipv6 address exploit concern

#3 2023-10-26 03:49:00

Re: Public ipv6 address exploit concern

#4 2023-10-26 06:59:10

Re: Public ipv6 address exploit concern

#5 2023-11-07 23:02:44

Re: Public ipv6 address exploit concern

#6 2023-11-13 13:18:37

Re: Public ipv6 address exploit concern

Board footer