Executive Summary
Hypha is an open source submission management platform to receive and manage applications for funding, which Open Technology Fund (OTF) developed internally with community partners. It’s an easy-to-use, secure, and privacy-focused application and project management system for application reviewers, prospective and current funding recipients, and project managers. OTF uses Hypha to solicit and manage applications for its various funding mechanisms and lab services. As privacy and security are crucially important to OTF and the community we serve, we regularly seek audits of the platform. The most recent audit, prior to this one, occurred in 2021.
In late 2023, OTF launched a new frontend website via WordPress. This is the first security audit of the new site.
OTF’s goal with this audit and remediation was to ensure the continued safety and security of OTF applicants, partners, and site visitors.
Audit Description
Through OTF’s Security Lab, Radically Open Security conducted a whitebox (or “crystal-box”) penetration test of the organization’s Hypha web application platform and the beta OTF website. A whitebox review is a form of application testing that provides the tester with complete knowledge of the application being tested, including access to source code and design documents. The goal was to find vulnerabilities, and exploit any to try and gain further access and elevated privileges. The audit took place between July 21, 2023 and September 13, 2023.
Scope
The scope of the penetration test was limited to the following targets:
- Hypha web application (subdomain, particularly the project components)
- OTF beta website (WordPress)
Findings
Radically Open Security’s audit uncovered 24 issues, one of which was identified as a “high-severity” issue, four were deemed “moderate” issues, and 19 were considered “low-severity.” Moderate and low-severity issues did not have a major immediate risk, but their resolution will make it harder for adversaries to successfully attack the application, infrastructure, and users.
Hypha
High-Severity Issue: would allow an authenticated low–privileged user or higher, such as partners, to see the comments of others in an application. This could result in exposure of private information, which, when found, could have a high impact on the confidentiality of the application.
Other Issues: The other issues found in the Hypha application were “moderate” and “low severity” issues due to insecure session management (sessions remained valid for 14 days), improper input validation that could result in cross-site scripting, cross-domain inclusion of a Google Translate script, missing Content-Security-Policy (CSP) header, improper protection of backup two-factor authentication (2FA) tokens, insufficient anti-automation, user enumeration, and other mis-configurations.
OTF Beta Website (WordPress)
All the issues discovered were “moderate” or “low-severity,” these included: 2FA disabled for the admin users; lack of CSP header; the WordPress version can be found easily; management interface is exposed; there is public access to the development and test websites while a password is required for the beta website.
Remediation
OTF fixed the high-severity issue with Hypha (so the API is no longer publicly exposed) and 14 other issues. With the removal of the whole public part of Hypha in late 2023, some of the insecure features identified are no longer issues.