# OONI team report April 2014
## Least Authority security audit
This month we mainly focused on addressing the issues raised during the Least Authority audit of the application.
In particular the following issues were found and a resolution for them has been provided.
No critical vulnerability has been found inside of the probe software. Users are nonetheless highly encouraged to update to the latest version of ooni-probe as soon as a release is out.
* Issue A. CSRF Token Not Compared in Constant Time https://github.com/TheTorProject/ooni-probe/issues/317
* Issue B. Arbitrary File Write in Input File Uploader https://github.com/TheTorProject/ooni-probe/issues/318
* Issue C. User Input Written to Logs: https://github.com/TheTorProject/ooni-probe/issues/302
* Issue D. Tor Build Script Downloads zlib Over HTTP: https://github.com/TheTorProject/ooni-probe/issues/303
* Issue E. Denial of Service by Uploading Lots of Header Lines: https://github.com/TheTorProject/ooni-probe/issues/304
* Issue G. Cross-Site Scripting in HTTPRandomPage: https://github.com/TheTorProject/ooni-probe/issues/305
* Issue F. `oonid` Lacks Authentication Checks https://github.com/TheTorProject/ooni-probe/issues/319
## Improvements to ooni-probe
* Added support for recording the Tor Exit IP used when performing the http_requests test: https://github.com/TheTorProject/ooni-probe/issues/81 https://github.com/TheTorProject/ooni-probe/pull/299
* We now have a manpage for the ooniprobe cli tool. https://github.com/TheTorProject/ooni-probe/pull/315
* Fixed an issue that lead to unittests writing outside the build directory leading to the debian package build bot complaining: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743108 https://github.com/TheTorProject/ooni-probe/pull/314
* The bridge_reachability test now supports fteproxy and includes the Tor version in the report: https://github.com/TheTorProject/ooni-probe/pull/297
~ Art.
-
Arturo Filastò