Since updating to 3.5.2 - Whistleblower cannot use reciept to access submission

featuretest

#1

Since updating to version 3.5.2, the whistleblower is unable to use the receipt to access his/her submission. Is anyone else having similar issues?


#2

Hello @NYUser

I’m sorry for this inconvenience.

This issue due to a software error present in migration for 3.5.0.
If you still have a backup and you have not received new submissions you can:

  • shut down globaleaks
  • put the backup on /var/globaleaks
  • restart globaleaks

This will restore the situation.

Manually you can alternatively read the ‘receipt_salt’ variable in the Config table of your backup and configure that value on the current database of version 3.5.2.

best,

Giovanni Pellerano


#3

Thank you Giovanni.

We are getting this on a fresh install of 3.5.4 and 3.5.2. This is even for new cases.

I submit a case and when I view it I get the following error:
The key code is either invalid or the submission has expired.


#4

Thank you @NYUser for reporting this.

We will investigate the issue and get back to you shortly,

best,

Giovanni Pellerano


#5

@NYUser: we identified the issue and released a version 3.5.5.

Could you please upgrade and let us know if the fix is confirmed?

best,

Giovanni Pellerano


#6

Is the update available?

I tried: apt-get update && apt-get install globaleaks

Still old version.

I tried:
wget https://deb.globaleaks.org/install-globaleaks.sh
chmod +x install-globaleaks.sh
./install-globaleaks.sh

Still old version 3.5.4


#7

You are right, for some reason the release procedure got stuck.

Would you please retry now?

Thanks!


#8

I tried it and it seems to be working now.

Thanks.


#9

That issue is resolved. However another issues has been introduced. I just recreated it. If the application is SSL enable then you can access it using any three common browsers, Firefox, Edge and Chrome. We get the following error in Firefox:

Secure Connection Failed
The connection to 172.24.33.142 was interrupted while the page was loading.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

The site is using self-signed Certificate.

If the traffic is going through Burp Proxy, you not have the same issue. I have been using Burp for testing, as result I did not notice it now.

Has there been any new features related to SSL introduced?

UPDATE: You cannot access it with an IP address. You can access with hostname. Add an entry in the hosts file, in the addresses the issue

BTW, I do have a couple of security findings, I will share them with you later.

Regards,
Younus


#10

Thank you so much @NYUser for reporting this!

Please try to keep information separated threads topic and use github for for bug reporting: https://github.com/globaleaks/GlobaLeaks

This forum is mostly intended for users to share their knowledge while for development reasons GitHub is the preferred tool.


#11

Thank you @evilaliv3.

I will post any issues to GitHub. For this one, I am not sure if this is really an issue.