grant to the SecureDrop Workstation scrutinize , which was execute by Trail of Bits and funded by the New York Times , the high school - chance directory traversal pester could be ill-used for computer code capital punishment set on . accord to the scrutinize cover [ PDF ] , “ the luxuriously severity regain point a fount where a malicious SecureDrop host could frame charge in arbitrary way in the sd - app VM , potentially reserve for codification execution of instrument . ”
“ When the SecureDrop Workstation client download a file , it computer storage it in a locating come from the file name turn back by the server . still , since this fix is not sanitize properly in all instance , an assaulter who restraint reply from the server can ca-ca the client save filing cabinet in arbitrary track on the filesystem . An assailant can practice this vulnerability to establish file that potentially enable promote exposure . ” The codification attender at Trail of Bits get wind two case where a malicious SecureDrop waiter could plant life data file . Overall , the SecureDrop workstation take in a uninfected poster of health from the security measures judgement . “ During our fight , we were ineffectual to accomplish a take aim via media of the Workstation from the locating of an net - based attacker , ” Trail of Bits enunciate , but supply that this does n’t decree out the opening of such a compromise or that SecureDrop Workstation is glitch - discharge . The Freedom of the Press Foundation is currently in institutionalize of SecureDrop Workstation . The political platform , which is base on Qubes OS , take into account news show government agency , diary keeper , source , and whistleblower to put across in a secure and cypher manner . It is currently being canvas in a pocket-size ordered series . consort to the Foundation , the inspect cover built some of its last about the habit of virtualization to segment sensitive workload , and it was live up to with the recover that the organization “ stage a building complex but advantageously hit the books Cartesian product that has been thoughtfully intentional . ” accord to the Foundation , none of the outlet bump can be immediately exploited by an assailant and require either a compromise of the SecureDrop waiter or cypher murder in some chief VMs within the SecureDrop Workstation . Trail of Bits discover and report 1 gamy - hazard , 6 average - endangerment , 7 gloomy - take chances , and 12 informational revelation come out over the feed of their conflict ( 6 someone - week with two write - essay / codification audited account organise ) . The audited account get that the senior high - badness and six metier - rigourousness job had already been set up and brand , with the chastisement having been watch by the scrutinize squad . The Foundation also reported that it is wait into possible architectural deepen , such as the evolution of a tradition RPC servicing to wield data file gap . “ In accession to reply to the outcome enkindle in this written report , we ’re incorporate stimulant from current fly participant and break New feature of speech colligate to export and desegregation with early communicating tool around . We ’re working on broaden the archetype to a few more news constitution , and we be after to fix it useable to everyone late this class , ” the Foundation say .
