Package: prayer
Version: 1.3.5-dfsg1-4+b1
Severity: important
Tags: security upstream patch
Hi,
prayer includes a Referrer header when users click on a link in their
email; this header includes the user's username, e.g.:
https://aragorn.weathertop.principate.org.uk/session/matthew:17095//AAAE@display@225@7234
This means that the operator of the linked-to website learns about the
identity of their visitors; this may be entirely personally
identifying - for example:
https://telescoper.wordpress.com/2018/10/18/a-breakthrough-for-a-bigot/#comment-339386
...where the cam.ac.uk username is enough to tell the commented
exactly who has been visiting.
The solution is to patch header.t to include:
<meta name="referrer" content="no-referrer">
Operators of prayer systems fix this by copying
templates/cam/header.t (from the source package) into
/etc/prayer/templates/cam/header.t and applying the patch, then
adjusting prayer.cf to have template_use_compiled = FALSE and then
restarting prayer.
I'm reporting this publically as the issue is already known about (cf
the blog link above); it's arguably release-critical severity, but
I'll leave that to your discretion. The fix is fairly simple, at
least!
Regards,
Matthew
-- System Information:
Debian Release: 9.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 4.9.0-6-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages prayer depends on:
ii adduser 3.115
ii exim4 4.89-2+deb9u3
ii exim4-daemon-heavy [mail-transport-agent] 4.89-2+deb9u3
ii libc-client2007e 8:2007f~dfsg-5
ii libc6 2.24-11+deb9u3
ii libdb5.3 5.3.28-12+deb9u1
ii libldap-2.4-2 2.4.44+dfsg-5+deb9u2
ii libssl1.1 1.1.0f-3+deb9u2
ii libtidy5 1:5.2.0-2
ii logrotate 3.11.0-0.1
ii lsb-base 9.20161125
ii ssl-cert 1.0.39
ii zlib1g 1:1.2.8.dfsg-5
prayer recommends no packages.
Versions of packages prayer suggests:
ii aspell 0.60.7~20110707-3+b2
ii dovecot-imapd [imap-server] 1:2.2.27-3+deb9u2
ii ispell 3.4.00-5
pn prayer-accountd <none>
pn prayer-templates-src <none>
-- Configuration Files:
/etc/default/prayer changed [not included]
/etc/prayer/prayer.cf changed [not included]
-- no debconf information
--- dgits/prayer/templates/cam/header.t 2018-10-25 11:06:30.876776353 +0100
+++ /etc/prayer/templates/cam/header.t 2018-10-25 11:09:09.201874115 +0100
@@ -11,6 +11,8 @@
% ENDIF
<meta name="robots" content="none" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+%# don't send referrer to avoid information leak of username
+<meta name="referrer" content="no-referrer">
<link rel="stylesheet" href="/static/layout.css"
type="text/css" media="all" />
<link rel="stylesheet" href="/static/print.css"
