Settings and plugins installed exposed on Login Page

ahunter · November 27, 2019, 8:00pm

Hi All,

I am looking to solve an issue on our discourse servers login page. The login page is currently exposing settings for the server as well as the plugins installed. This is viewable if you look at the page source or inspect the login page. How do we remove this information from the page or hide it?

Example of plugin code exposed:

<link href="[/stylesheets/poll_desktop_2_aaf730f938a1162e369c60cef250ac2b3bf97c05.css?__ws=discourse.bob.host](https://discourse.bob.host/stylesheets/poll_desktop_2_aaf730f938a1162e369c60cef250ac2b3bf97c05.css?__ws=discourse.bob.host)" media="all" rel="stylesheet" data-target="poll_desktop" data-theme-id="3"/>

Example of settings exposed:

<div class="hidden" id="data-preloaded" data-preloaded="{&quot;site&quot;:&quot;{\&quot;periods\&quot;:[\&quot;all\&quot;,\&quot;yearly\&quot;,\&quot;quarterly\&quot;,\&quot;monthly\&quot;,\&quot;weekly\&quot;,\&quot;daily\&quot;],\&quot;filters\&quot;:[\&quot;latest\&quot;,\&quot;unread\&quot;,\&quot;new\&quot;,\&quot;read\&quot;,\&quot;posted\&quot;,\&quot;bookmarks\&quot;],\&quot;user_fields\&quot;:[],\&quot;auth_providers\&quot;:[]}&quot;,&quot;siteSettings&quot;:&quot;{\&quot;default_locale\&quot;:\&quot;en\&quot;,\&quot;title\&quot;:\&quot;bobDiscourse\&quot;,\&quot;short_site_description\&quot;:\&quot;bob Integration Discourse\&quot;,\&quot;contact_email\&quot;:\&quot;infrastructure@bob.com\&quot;,\&quot;contact_url\&quot;:\&quot;https://bob.com\&quot;,\&quot;logo\&quot;:\&quot;/uploads/default/original/1X/96eba37e4fb0f19f8f04e09ad31d1bf14111e122.png\&quot;,\&quot;logo_small\&quot;:\&quot;/uploads/default/original/1X/96eba37e4fb0f19f8f04e09ad31d1bf14111e122.png\&quot;,\&quot;digest_logo\&quot;:\&quot;\&quot;,\&quot;mobile_logo\&quot;:\&quot;\&quot;,\&quot;large_icon\&quot;:\&quot;/uploads/default/original/1X/96eba37e4fb0f19f8f04e09ad31d1bf14111e122.png\&quot;,\&quot;favicon\&quot;:\&quot;/uploads/default/original/1X/96eba37e4fb0f19f8f04e09ad31d1bf14111e122.png\&quot;,\&quot;apple_touch_icon\&quot;:\&quot;\&quot;,\&quot;allow_user_locale\&quot;:false,\&quot;support_mixed_text_direction\&quot;:false,\&quot;suggested_topics\&quot;:5,\&quot;ga_universal_tracking_code\&quot;:\&quot;\&quot;,\&quot;ga_universal_domain_name\&quot;:\&quot;auto\&quot;,\&quot;gtm_container_id\&quot;:\&quot;\&quot;,\&quot;top_menu\&quot;:\&quot;categories|latest|new|unread|top\&quot;,\&quot;post_menu\&quot;:\&quot;read|like|share|flag|edit|bookmark|delete|admin|reply\&quot;,\&quot;post_menu_hidden_items\&quot;:\&quot;flag|bookmark|edit|delete|admin\&quot;,\&quot;share_links\&quot;:\&quot;twitter|facebook|email\&quot;,\&quot;desktop_category_page_style\&quot;:\&quot;categories_with_featured_topics\&quot;,\&quot;category_colors\&quot;:\&quot;BF1E2E|F1592A|F7941D|9EB83B|3AB54A|12A89D|25AAE2|0E76BD|652D90|92278F|ED207B|8C6238|231F20|808281|B3B5B4|E45735\&quot;,\&quot;category_style\&quot;:\&quot;bullet\&quot;,\&quot;enable_mobile_theme\&quot;:true,\&quot;relative_date_duration\&quot;:30,\&quot;fixed_category_positions\&quot;:false,\&quot;fixed_category_positions_on_create\&quot;:false,\&quot;enable_badges\&quot;:true,\&quot;enable_badge_sql\&quot;:false,\&quot;enable_whispers\&quot;:false,\&quot;push_notifications_prompt\&quot;:true,\&quot;vapid_public_key_bytes\&quot;:\&quot;4|170|50|111|127|76|83|223|177|204|254|218|146|40|188|175|8|235|76|71|207|133|49|159|219|30|44|72|138|250|138|188|150|192|11|194|246|81|233|148|144|142|143|243|38|251|133|5|10|219|95|160|9|246|246|186|2|162|200|182|219|187|92|28|26\&quot;,\&quot;invite_only\&quot;:true,\&quot;login_required\&quot;:true,\&quot;must_approve_users\&quot;:false,\&quot;enable_local_logins\&quot;:true,\&quot;enable_local_logins_via_email\&quot;:true,\&quot;allow_new_registrations\&quot;:true,\&quot;enable_signup_cta\&quot;:true,\&quot;enable_sso\&quot;:false,\&quot;sso_overrides_email\&quot;:false,\&quot;sso_overrides_avatar\&quot;:false,\&quot;min_username_length\&quot;:3,\&quot;max_username_length\&quot;:20,\&quot;unicode_usernames\&quot;:false,\&quot;min_password_length\&quot;:10,

RGJ · November 27, 2019, 1:32pm

All these settings are needed on the client, and they can be deduced anyway, so they’re hardly a secret.

What is your exact problem with this?

ahunter · November 27, 2019, 2:36pm

Thank you Richard,

Judging by your response this is standard config and the risk has been considered and deemed not to be an issue.

I thought this is an issue, because:

When an adversary is looking for weaknesses in websites and how they could potentially exploit it they start by finding as much information on it as possible. The information in the website code allows an adversary to go from zero knowledge to more knowledge without expending much effort.

As an example, the settings give an attacker very clear guidance on how the security model has been setup which then allows them to target a attack. Minimum user length, Max username length, Minimum password length are all useful in narrowing down what avenues to attack. Is SSO enabled? Is 2FA enabled or not?

This information is also useful for finding discourse servers online that have been potentially misconfigured. A Google Dork could be used to find Discourse servers that are potentially insecure or easily breached.

RGJ · November 27, 2019, 2:49pm

If this information would not have been available in a json format in the source code, it would probably take around one hour to write a script that extracts this information anyway. After all, by attempting to sign up, a form validator would also give you information like username and password lengths.

I don’t think that any of this information gives away any kind of information about a misconfiguration or insecure setup.

Remah · November 27, 2019, 4:04pm

Discourse is open source and default settings are publicly documented anyway.

It clearly isn’t advantage enough to earn a hacker bounty.

ahunter · November 27, 2019, 4:13pm

I’m not sure how we have gone from my original question where I wanted to reduce the amount of information our discourse sites login page to a hacker bounty? What I am asking about is not a vulnerability in the code. It is simply more information than I feel comfortable having on a login page and I wanted to find a way to remove it.

please stick to the topic.

ahunter · November 27, 2019, 4:21pm

Hi Richard,

I differ from you on my view on this, but that is my view and I understand that other people will have a different take on this. I feel we have diverged away from the initial request somewhat discussing potential threats that may or not be a risk.

Is their a way for me to reduce the visibility of this information or is that not possible? if not I will move on we can close this support request.

codinghorror · November 27, 2019, 8:00pm