Exposing external storage server IPs

[themago]

Oversight on Error notice?

▶ Reproduction steps Version 3.18.0 using peafowl Uploading images. 😢 Unexpected result Error shows ip to external storage to regular members, which feels like it's far from intended? 📃 Error log message Error - Can't upload image - storage error - Can't SFTP login to [IP-address] server

chevereto.com

Can you "kindly" stop responding like a pajeet and fix this major security flaw? fucking clown

 

[JakeSully]

Maybe you should be more kind and not write such rude words at end.

 

[imghut]

How is this a security flaw? you can find ip of any website easily, extarnal storage or not, domains resolve to ip addresses.

 

[Rodolfo]

Chill and come back with a friendly apology.

By the way, if you care to not expose IPs then use local hostname overrides in your host machine. That's works universally in every application/software, if you care about that thing then that's what you use.

 

[siddharth]

I can see that the issue he is pointed out can be fixed. Because it is exposing the IP on the front end. Incase if the SFTP is down and when a user trying to upload it is showing the IP of the server in the front end. I can see this from the screenshot.

Instead, we can just say that, there is some error in the upload without revealing more information about the host details.

 

[Rodolfo]

I can see that the issue he is pointed out can be fixed.

V3.20 added hidden messages by default.

 

[JakeSully]

I can see that the issue he is pointed out can be fixed. Because it is exposing the IP on the front end. Incase if the SFTP is down and when a user trying to upload it is showing the IP of the server in the front end. I can see this from the screenshot.

Instead, we can just say that, there is some error in the upload without revealing more information about the host details.

still makes no sense, since ip is still exposed through it's url path if he has that set or you can just ping the subdomain or domain going to it and get ip anyway.

Still this isn't a security flaw.

 

[siddharth]

still makes no sense, since ip is still exposed through it's url path if he has that set or you can just ping the subdomain or domain going to it and get ip anyway.

Still this isn't a security flaw.

You cannot find the IP if you use CloudFlare. So exposing the IP on the front end is the security flaw.

 

[JakeSully]

You cannot find the IP if you use CloudFlare. So exposing the IP on the front end is the security flaw.

that depends some hosts cannot use cloudflare between. Then script fails to upload. Still it isn't a security flaw, to expose ip. Since ip is public thing anyway and can be found anyway in some way.

 

[siddharth]

nope, it cannot be found in any way if you know how to hide it. I can hide the IP through the domain name, but if the script knows the IP, then it should not expose.

I am not going to argue anymore as you are not aware of what we are speaking.

 

[imghut]

https://www.shodan.io/ exposed my ip and my site is on cloudflare, why does it matter? my site is on 2 different VPS servers and both have over 1k login attemps blocked by fail2ban every day, hidden or not your server ip is out there.

 

[rdn]

https://www.shodan.io/ exposed my ip and my site is on cloudflare,

hidden or not your server ip is out there.

You failed some practice to perfectly hide your origin IP.

All my CF powered sites IP is not on that site.

Shodan

Search engine of Internet-connected devices. Create a free account to get started.

www.shodan.io

 

[imghut]

You failed some practice to perfectly hide your origin IP.

Not trying to hide it, just want to speed up my site on the cheap 😉

 

[siddharth]

https://www.shodan.io/ exposed my ip and my site is on cloudflare, why does it matter? my site is on 2 different VPS servers and both have over 1k login attemps blocked by fail2ban every day, hidden or not your server ip is out there.

Yes. You failed at certain practices that reveal your IP.

as @rdn said, all my CF site IP are also not exposed. Let me make you understand how they got your IP.

There are bots which will scan all the IP all over the world and reverse DNS it. And that is how they end up finding the IP to domain relationship and show it for you when you check for domain to IP.

Revealing your IP bring you more threats than not revealing it.

You are more vulnerable to hacks, DDoS and many other threats. Even through they are ways to prevent even after exposing it. For general users it is not safe.

that is why we few people who know things claiming that revealing the IP is security flaw.