Date Tags PrivateBin / Release

This release fixes leakage of configuration and raw pastes that can occur in some setups.

On 29th of September, @pstn reported a medium data leak vulnerability in PrivateBin. If either a) a non-apache webserver is used or b) apache has "AllowOverride" disabled and the installation was not secured by changing the path of sensitive folders, these can be accessed from the outside. This release fixes this by converting these files from INI/JSON to php files, so that they are protected even under those conditions.

Further details on why this is an issue and its implications can be found in our report on the vulnerability. It also describes methods to check if your server is currently affected by the issue.

Benefits of switching to the new release

Even if you are currently using an apache server and are not affected by this issue, we would advise to plan to update soon. Some of the sites affected by this reported that they had changed their webserver setup, inadvertedly becoming affected. You might do the same in the future, too, and forget to check your PrivateBin setups security.

Alternatively consider to securing your installation by changing the path of folders containing sensitive information. We have updated our installation instructions, stressing our security recommendations.

Update procedure

Apart from updating the libraries and the javascript files, make sure that your PHP process can also write to the cfg folder. The next call to your privatebin installation will convert the conf.ini file into conf.php. Accessing pastes will convert these, too. Additionally we also are hooking into the purge mechanism to gradually convert pastes that are not frequently accessed.

Changes since version 1.1

  • CHANGED: Switched to .php file extension for configuration and data files, to avoid leaking data in unprotected installations.