Replies: 1 comment
-
Hello, thanks for your time and your will to make the project better. Dashy is a wonderful tool and a pleasure to use each day. Security issues regarding keycloak auth (configured with dashy Many thanks again. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hey everyone,
The below is a write-up of the security issue reported by @subract in March, regarding Dashy's built-in auth.
Warning
If you're running Dashy 2.1.1 or older, and have your instance publicly exposed to the internet, and have not implemented server-side auth - PLEASE pay extra attention to this post!
What was the issue
In version 2.1.1 and older, even if the user has enabled Dashy's built-in auth, the configuration file could still be accessed by direct URL, if they didn't have any other protections enabled. If an instance was publicly exposed to the internet, and if the configuration contained any sensitive info, this could have serious consequences.
How did we address this
How you can secure your instance
I still recommend that if your instance of Dashy is exposed publicly to the internet, that you should:
I've written more about management and security in the Dashy docs, here.
Lessons Learnt
I (@Lissy93) fully take responsibility for this. I didn't make the documentation clear enough around this, I failed to check and respond to messages in a timely manner, and most importantly - I didn't keep all of you informed. And for that, I am very truly sorry.
I would understand if any of you wanted to jump ship after reading this (here's a list list alternatives if you do), but I really hope that you'll stick with us and continue using Dashy.
There's a bit or irony, as anyone who knows me, knows that security is something I care greatly about. But rest assured, lessons have been learnt, Dashy's security tightened, and I'm also looking into getting a professional audit done.
Any questions, let me know below, and I'd be happy to help :)
Credits
Of course, I want to give a huge shout-out to @subract. He did everything right, found an issue, contacted the maintainer and then wrote a high quality report of his findings.
❤️
Beta Was this translation helpful? Give feedback.
All reactions