Bug hunting on zeevox.net

TL;DR Kudos and kleos to anyone who finds vulnerabilities, publicly accessible sensitive information or other bugs on my website, zeevox.net. Potentially edible and monetary prizes available too. Contact me at zeevox dot dev at gmail dot com to report these.

Fixed CVEs

Out of date WordPress version (Haren S.)

My thanks go to Haren for discovering that my WordPress version was significantly out of date. The WordPress version provided in the Ubuntu repositories for 20.04 is v5.3.2 which has some pretty serious published CVEs. Thanks to Haren’s input we upgraded WordPress to the latest version, v5.7.

Home Assistant (Haren S.)

I run a Home Assistant instance on my server, proxied from home.zeevox.net through Apache2 to a port on localhost. Home Assistant has built-in IP blocking functionality, which I enabled to prevent people from brute-forcing passwords on my site. I did not configure this functionality correctly though for my reverse proxy, so when an incorrect password was entered five consecutive times it would block that IP address. Due to the nature of the reverse proxy, though, Home Assistant blocked the IP address 127.0.0.1 (localhost) instead of the actual user’s address, thus disabling access for everyone trying to access home.zeevox.net. Correctly configuring the proxy X_Forwarded_For headers now mean the actual client’s IP is blocked.

Reporting vulnerabilities

If you find a broken link, bug, security issue, revealing information or data that you don’t think should be publicly visible, no matter how big or small, please email me at zeevox dot dev at gmail dot com. The more information you can provide, the better, but anything you may have will be gladly accepted. Depending on the seriousness of the CVE we could consider discussing a cash prize.

Leave a comment