[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Persistent XSS vulnerability in TorStatus



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

"TorStatus is a website display used to summarize metrics about the Tor
Network. It's a precursor to  http://metrics.torproject.org. The code
repository is at
https://svn.torproject.org/svn/torstatus/. Example running sites are
http://torstatus.blutmagie.de/ [...]"

Note: TorStatus is not a Tor Project product and is not maintained.


Vulnerability
- -------------
DisplayRouterRow() in index.php prints the contact information string
from a server descriptor - defined via 'ContactInfo' in torrc by a node
operator - into the HTML page without proper output encoding. This leads
to a persistent cross-site scripting vulnerability where every Tor node
 operator can insert HTML/JavaScript on all vulnerable TorStatus mirrors.

The contact information column is only included in the HTML page if the
end-user (browsing a TorStatus mirror) adds the contact column
via "Advanced Display Options" (column_set.php), the contact column is
not included by default. An attacker might set the displayed columns for
a victim via CSRF.

A simple search in the server descriptors of the last two months did not
reveal an obvious exploitation in that time period. The simple search
used is not suitable to give a clear answer.
[grep -hir ^contact * |egrep -i '(script|src)']

Affected Versions
- -----------------
4.0
3.6.1
3.6
3.5
3.4.2
3.4.1
and probably others


Solution
- --------
The attached patch was committed to the svn (revision r24666).
https://svn.torproject.org/svn/torstatus/




Thanks to Robert, Andrew, Olaf, Damian and Sebastian.
-----BEGIN PGP SIGNATURE-----

iF4EAREKAAYFAk2zBb4ACgkQyM26BSNOM7YE8gD9HzwAZ1rfUDM+GLxjFfo0o1R7
A5l2MPddbmPlr+d23oYA/1m8VI3bbG9RXvao453j2Yyqix/iJ01rJbLP63PtWShw
=Ay2T
-----END PGP SIGNATURE-----
762c762
< 			echo "<td class='TDS'>" . $record[$value] . "</td>";
---
> 			echo "<td class='TDS'>" . htmlentities($record[$value], ENT_QUOTES) . "</td>";
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk