Onion-Site-Template Tor Secrets Baked Into Docker Image Vulnerability

A vulnerability exists in the Onion-Site-Template project, specifically in versions including commit 3196bd89, where Tor secrets can be unintentionally embedded into a Docker image. This occurs if the secrets from an existing onion domain are copied into the application. The vulnerability could lead to a compromise if the modified image is shared or if someone gains access to the user's device outside of a containerized environment.

Impact

If the affected Docker image has been shared or published, the user's website may be considered compromised. Otherwise, the vulnerability remains a potential risk as long as the Tor image has not been shared with a non-trusted actor.

Reproduction

To reproduce this vulnerability, create a Docker image using the Tor Dockerfile from the Onion-Site-Template repository, version 3196bd89 or later. If secrets from an existing onion domain are copied into the image, they will be baked into the Docker image. This can lead to a compromise if the image is shared or if access is gained to the device outside of a containerized environment.

Remediation

The vulnerability has been fixed in commit bc9ba0fd. Users should update to this version and ensure that Tor secrets are not baked into the Docker image.