[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Mixed pages - serious bug of tor



Hi to all again,

because it looks like conference did not receive emails with attachments, Im resending my initial email about problem I found. Attachments from original email are here:
http://www.slush.cz/centrumyahoo.png
http://www.slush.cz/centrum.png
http://www.slush.cz/centrumok.png

Regards,
Marek

On Thu, Jul 17, 2008 at 2:16 AM, slush <slush@xxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

I dont have better contact (I cannot find any bugzilla for Tor), but I
have to say, that there is serious problem in Tor (using last 0.2.0.30
version). It looks like buffer overflow, but I dont know, if it is
problem of client or exit node (I dont suspect relays).

In attachment, you can see three screenshot of the same page. On two
of that, there are big artefacts from other pages (first of them is
yahoo - see "Yahoo privacy policy", second is unknown - Serbia? -
website). Because Im not using yahoo and I dont speak Serbia, these
pages are not from my cache (latest stable Opera without any plugin).

On third screenshot is original look&feel of centrum.cz, one of
biggest portal in Czech Republic. It is almost impossible, that this
is problem on their side. I hear about this Tor problem before weeks,
but I did not believe that.

Some IMPORTANT additional info. I found this bug when I broke my
program using Tor, that he created very much circuits thru Tor (~ 1000
circuits at the same time). I think it is very important for this
description. On other case, I created them using standard Tor
interface (extend circuit command on tor controller) and Tor did not
say me about any problem. So it is definitely bug of tor (even if
suspect, that 1000 circuits are not standard behaviour).

Unfortunately, I dont know, which exit node serves me when error
occured, so I dont know version of exit node :(

Regards,
slush (admin of tor relays slush and mwserver)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: http://getfiregpg.org

iD8DBQFIfo9Hr7KgZiv8EokRAskDAKCuYxXcd4g3beMQP4Lj/4awpXBoeQCeM7OV
rnAkbBw/a8ssDO6U92u2qVk=
=wVDS
-----END PGP SIGNATURE-----