[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Persistent XSS vulnerability in TorStatus

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Persistent XSS vulnerability in TorStatus
From: tagnaq <tagnaq@xxxxxxxxx>
Date: Mon, 25 Apr 2011 12:59:31 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 25 Apr 2011 06:59:44 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:mime-version:to:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=zRkVB2BpyEvsFPyuBAZFE/z5N+iX1YEA9r4wvulbsZE=; b=UNsuqxjmurR8mN5wynvMtRqLdkCUKje3qJ1YCf4tWT/c4dcglN1t774Kc0MRJJKyLM 5FSZnDmYnPHje6syBXC85mAguRtds305sVcTwyTmygK5xC3fEm79zzHPFEmhdhx2pE2G ok5p1cN0iJ8zTcnrE2yFmhlxydkPn/3FdqqtY=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; b=CwGyo7ROxk8hlMqb7oRRx9ivDjtqBMsT0PZ8I++oiuYvxSj9DSca/YCpNE4TWgDSpz l6p4J89FNusxhuemOMj9mudlV9Zvqif7rwWMyieqdYJcnAGww2RCwE/sHRXGoJmtrhYu OmAsiYvlyHW4ldn/8eFzId+rcJlplJYJuXysQ=
In-reply-to: <006601cc032d$de344180$0201a8c0@warmachine>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <4DB305BF.6040906@xxxxxxxxx> <006601cc032d$de344180$0201a8c0@warmachine>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

> Thanks for this.. you might be interested to know that co-incidentally I
> had a nasty experience with one of these sites (don't know which now)
> running this code some 4-6 months ago. 

A search (grep) in the server descriptor archive starting with
2009-01-01 didn't show anything obviously nasty in the contact field -
so if a TorStatus site contained something nasty in that time period it
probably wasn't this vulnerability.
...but TorStatus is not properly html encoding everywhere where it should.

> I had to switch jscript on to
> view the site 

TorStatus sites usually do not require JavaScript.

> Do you reckon a jscript (code injection) vulnerability over Tor, like
> the one you uncovered, could lead to stack based attacks (the system
> slow and re-boot) on WinNT/Win2k/WinXP systems, to insert such a remote
> control trojan as I have just removed?

The vulnerability reported in the original posting (a web application
not doing proper output encoding) has basically nothing to do with Tor
beside the fact that the web application does show Tor nodes information
and the way how an attacker delivers its payload to the website.

So your question boils down to:
Can one get compromised when browsing a website?
Yes, you can.

best regards,
tagnaq
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Persistent XSS vulnerability in TorStatus
  - From: TheGravitator

References:
- [tor-talk] Persistent XSS vulnerability in TorStatus
  - From: tagnaq
- Re: [tor-talk] Persistent XSS vulnerability in TorStatus
  - From: TheGravitator

Prev by Author: Re: [tor-talk] Better Privacy for Tor Node Operators
Next by Author: Re: [tor-talk] Better Privacy for Tor Node Operators
Previous by thread: Re: [tor-talk] Persistent XSS vulnerability in TorStatus
Next by thread: Re: [tor-talk] Persistent XSS vulnerability in TorStatus
Index(es):
- Author
- Thread