These are chat archives for ushahidi/Community

14th
Nov 2017
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 12:21
For some reason our deployment is not displaying the photos attached to reports. Any ninjas here want to take a stab at that issue?
Ushbot
@ushbot
Nov 14 2017 12:26
[David Losada, Ushahidi] Hi, is there a publicly accessible URL showing the problem?
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 12:27
Hi David. It's a closed deployment right now but I can open it up
Here's some of the errors we're seeing
[Tue Nov 14 12:24:53.741770 2017] [authz_core:debug] [pid 7852] mod_authz_core.c(809): [client 171.33.130.180:49668] AH01626: authorization result of <RequireAny>: granted, referer: https://research.okap.io/views/map
[Tue Nov 14 12:24:55.063816 2017] [ssl:debug] [pid 7875] ssl_engine_io.c(1017): [client 171.33.130.180:49669] AH02001: Connection closed to child 15 with standard shutdown (server research.okap.io:443)
Ushbot
@ushbot
Nov 14 2017 12:29
[David Losada, Ushahidi] those are debug level events.. so they should be harmless. they look harmless
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 12:30
The image links appear in the source code for the reports but 1) fail to render on both the map and the report views, and 2) even copying the source image link into a browser will not resolve but redirects to the main map view.
Another .htaccess issue possibly?
Ushbot
@ushbot
Nov 14 2017 12:30
[David Losada, Ushahidi] there was a known problem with the installable package for a while affecting this. did you use the .tar.gz with everything built in?
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 12:30
@xtrc that question is for you
Wesley Ronda
@xtrc
Nov 14 2017 12:30
I extracted the latest release folder yes
to which directory should the images upload?
is that /var/www/html/platform/application/media/uploads
?
Ushbot
@ushbot
Nov 14 2017 12:32
[David Losada, Ushahidi] yes, that seems fine
[David Losada, Ushahidi] do you have 'base_url' => 'platform' in platform/application/config/init.php ?
Wesley Ronda
@xtrc
Nov 14 2017 12:32

cat init.php

<?php defined('SYSPATH') OR die('No direct access allowed.');

/**

/**

  • Initialize Kohana, setting the default options.
    *
  • The following options are available:
    *
    • string base_url path, and optionally domain, of your application NULL
    • string index_file name of your index file, usually "index.php" index.php
    • string charset internal character set used for input and output utf-8
    • string cache_dir set the internal cache directory APPPATH/cache
    • integer cache_life lifetime, in seconds, of items cached 60
    • boolean errors enable or disable error handling TRUE
    • boolean profile enable or disable internal profiling TRUE
    • boolean caching enable or disable internal caching FALSE
    • boolean expose set the X-Powered-By header FALSE
      */
      return array(
      'base_url' => '/',
      'index_file' => FALSE,
      'charset' => 'utf-8',
      'errors' => TRUE,
      'profile' => FALSE,
      'caching' => FALSE,
Right, so I gotta change the base URL to
Ushbot
@ushbot
Nov 14 2017 12:33
[David Losada, Ushahidi] yep, that should be it .. time for us to double check it’s fixed in the current latest
[David Losada, Ushahidi] the correct value is “/platform”
Wesley Ronda
@xtrc
Nov 14 2017 12:35
yeah that fixed it
thanks!
this was default from the tar file btw :)
Ushbot
@ushbot
Nov 14 2017 12:36
[David Losada, Ushahidi] yep , I see it was only fixed for the docker runtime
[David Losada, Ushahidi] fixing it for good now
[David Losada, Ushahidi] thanks!
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 12:36
Nice, go team!
Thanks David! Much appreciated.
Ushbot
@ushbot
Nov 14 2017 12:37
[David Losada, Ushahidi] you are very much welcome, we appreciate your report a lot as well
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 15:41
Community, our deployment is being forced over HTTPS but the built in avataors (gravatars) are being served over insecure HTTP and throwing browser security warnings. Maybe we need to either disable gravatars or be able to define one single user avatar default from a secure internal source?
Also, I think we've found a security hole. There seems to be API calls happening before successful login; which I suspect compromises the security of a private deployment in one way or another.
Ushbot
@ushbot
Nov 14 2017 15:44
[David Losada, Ushahidi] That's fixed in the code repository and will be shipped in an upcoming release
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 15:44
Gravatars or API calls before login?
Ushbot
@ushbot
Nov 14 2017 15:45
[David Losada, Ushahidi] Gravatar calls and other mixed content warnings.
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 15:45
Cool, thanks David.
Ushbot
@ushbot
Nov 14 2017 15:47
[David Losada, Ushahidi] About api , you do have a point there, although I think to us the risk may be outweighed by the cost of implementing a significantly different approach
Wesley Ronda
@xtrc
Nov 14 2017 15:51
Is there a work around to trigger the API call after login?
xxx - - [14/Nov/2017:13:30:07 +0000] "GET /platform/api/v3/tags HTTP/1.1" 403 3709 "https://research.okap.io/views/map" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0"
I obfuscated the IP for obious reasons :)
But this is the 403 being thrown amongst others\
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 15:53
I haven't tested the theory. But I see the map UI loading for an instant prior to login on a private deployment which theoretically could comprise reporter security. If the load process can be stopped at the right time, intruders may be able to crack into the platform? I will pose this to our security engineer and see what comes up.
Ushbot
@ushbot
Nov 14 2017 15:53
[David Losada, Ushahidi] Not a quick one that I can think of. We are probably going to overhaul the whole logic that generates requests and tie it more tightly to the states of the app. Regardless there will still be at least a call in order to discern if the deployment is public or locked.
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 15:53
*compromise
Ushbot
@ushbot
Nov 14 2017 15:57
[David Losada, Ushahidi] In any case as far as we have been able to test, no information is leaked if the privileges don't check out. It's mostly a problem of the client being too eager to send requests that are doomed to fail
[David Losada, Ushahidi] I'll also add that the app has been independently audited for security
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 15:58
That's good to know. Just the web app or the mobile app as well?
Ushbot
@ushbot
Nov 14 2017 15:59
[David Losada, Ushahidi] Web app and api . Not the mobile app afaik
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 15:59
Ok. Cool.
We will have some input on the mobile app security soon as well
Ushbot
@ushbot
Nov 14 2017 16:00
[David Losada, Ushahidi] But of course, any checks you'd want to do , we'll be hugely grateful to hear about :)
[David Losada, Ushahidi] Thanks!
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 16:01
Our security engineer very attentive; I'm positive he'll provide you some valuable feedback. :-D
Ushbot
@ushbot
Nov 14 2017 16:02
[David Losada, Ushahidi] Awesome =D
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 16:04
Is there any easy way to disable the map sharing button; feature? As we're collecting sensitive data we absolutely do not want to allow embedding of maps on external sites.
Ushbot
@ushbot
Nov 14 2017 16:07
[David Losada, Ushahidi] Not really at this point. The embed shouldn't work anyway for a private deployment (unless you are already logged in prior to visiting the site). However, thinking about it.. it may make sense to disable that as default altogether for private deployments.
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 16:09
Would it suffice to delete the front end code containing the button and actions or will that break something?
Ushbot
@ushbot
Nov 14 2017 16:10
[David Losada, Ushahidi] yea, that can be done. that will put you in a scenario where you have to re-build the front-end code, though
[David Losada, Ushahidi] what we call a developer setup
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 16:10
Sounds ominous. :-D
Ushbot
@ushbot
Nov 14 2017 16:10
[David Losada, Ushahidi] it’s got its quirks :)
[David Losada, Ushahidi] nothing too exotic really, but the usual learning curve with the devlopment tools
Brad Anthony
@INTJ_Ape_twitter
Nov 14 2017 16:12
I will leave that to the developers ; way over my pay grade :-D