1: Security fix: 18/06/16

  1. Affected configurations
  2. Public sites (and private sites with untrusted users) installed as Tor hidden services running Tokumei versions between 58aa83c (Apr 6) and 556aa63 (May 20).

  3. Vulnerability
  4. These versions of Tokumei accept file uploads as URLs and retrieve the files via wget or curl without torifying requests. An attacker can run a server logging requests, post its address in the file field, and find the real IP address of the Tokumei server in their log.

  5. Fix
  6. Upgrade to commit 385f046 or later.

  7. Credit
  8. This issue was identified by Kyle Farwell.