You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The below is a write-up of the security issue reported by @subract in March, regarding Dashy's built-in auth.
Warning
If you're running Dashy 2.1.1 or older, and have your instance publicly exposed to the internet, and have not implemented server-side auth - PLEASE pay extra attention to this post!
What was the issue
In version 2.1.1 and older, even if the user has enabled Dashy's built-in auth, the configuration file could still be accessed by direct URL, if they didn't have any other protections enabled. If an instance was publicly exposed to the internet, and if the configuration contained any sensitive info, this could have serious consequences.
How did we address this
First, I've updated the messaging around auth, to clarify that, if youre dashboard is publicly accessible on the internet, it should be used as the sole means of protecting.
Then in 3.0.0 and later, we've implemented HTTP auth, which adds server-side protection to your config file (if enabled), effectively fixing the issue outlined.
V3 also added other config security improvements, such as using env vars instead of strings for any potentially sensitive info.
How you can secure your instance
I still recommend that if your instance of Dashy is exposed publicly to the internet, that you should:
Protect it with a reverse proxy and an authentication provider of your choice
Ensure your permissions are set up correctly. E.g. making any configuration read-only
Keep both Dashy, and all other software and packages up-to-date
I've written more about management and security in the Dashy docs, here.
Lessons Learnt
I (@Lissy93) fully take responsibility for this. I didn't make the documentation clear enough around this, I failed to check and respond to messages in a timely manner, and most importantly - I didn't keep all of you informed. And for that, I am very truly sorry.
I would understand if any of you wanted to jump ship after reading this (here's a list list alternatives if you do), but I really hope that you'll stick with us and continue using Dashy.
There's a bit or irony, as anyone who knows me, knows that security is something I care greatly about. But rest assured, lessons have been learnt, Dashy's security tightened, and I'm also looking into getting a professional audit done.
Any questions, let me know below, and I'd be happy to help :)
Credits
Of course, I want to give a huge shout-out to @subract. He did everything right, found an issue, contacted the maintainer and then wrote a high quality report of his findings.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hey everyone,
The below is a write-up of the security issue reported by @subract in March, regarding Dashy's built-in auth.
Warning
If you're running Dashy 2.1.1 or older, and have your instance publicly exposed to the internet, and have not implemented server-side auth - PLEASE pay extra attention to this post!
What was the issue
In version 2.1.1 and older, even if the user has enabled Dashy's built-in auth, the configuration file could still be accessed by direct URL, if they didn't have any other protections enabled. If an instance was publicly exposed to the internet, and if the configuration contained any sensitive info, this could have serious consequences.
How did we address this
How you can secure your instance
I still recommend that if your instance of Dashy is exposed publicly to the internet, that you should:
I've written more about management and security in the Dashy docs, here.
Lessons Learnt
I (@Lissy93) fully take responsibility for this. I didn't make the documentation clear enough around this, I failed to check and respond to messages in a timely manner, and most importantly - I didn't keep all of you informed. And for that, I am very truly sorry.
I would understand if any of you wanted to jump ship after reading this (here's a list list alternatives if you do), but I really hope that you'll stick with us and continue using Dashy.
There's a bit or irony, as anyone who knows me, knows that security is something I care greatly about. But rest assured, lessons have been learnt, Dashy's security tightened, and I'm also looking into getting a professional audit done.
Any questions, let me know below, and I'd be happy to help :)
Credits
Of course, I want to give a huge shout-out to @subract. He did everything right, found an issue, contacted the maintainer and then wrote a high quality report of his findings.
❤️
Beta Was this translation helpful? Give feedback.
All reactions