[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #17303 [DirAuth]: Bad exits inject port 8123 into HTTP redirects

Subject: Re: [tor-bugs] #17303 [DirAuth]: Bad exits inject port 8123 into HTTP redirects
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 10 Nov 2015 23:21:50 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 10 Nov 2015 18:21:57 -0500
In-reply-to: <048.c3308ddada295d84ad720e0027528e00@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <048.c3308ddada295d84ad720e0027528e00@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#17303: Bad exits inject port 8123 into HTTP redirects
----------------------+----------------------------------
 Reporter:  ikurua22  |          Owner:
     Type:  defect    |         Status:  new
 Priority:  High      |      Milestone:  Tor: unspecified
Component:  DirAuth   |        Version:  Tor: unspecified
 Severity:  Critical  |     Resolution:
 Keywords:            |  Actual Points:
Parent ID:            |         Points:
  Sponsor:            |
----------------------+----------------------------------

Comment (by dcf):

 Here is what I have been able to find about these exits.

 They seem to only affect plain HTTP redirects. For example, the URL
   http://arstechnica.com/?p=716619
 should redirect to the URL
   http://arstechnica.com/tech-policy/2015/07/crypto-activists-announce-
 vision-for-tor-exit-relay-in-every-library/
 but some exits instead rewrite the URL to be
   http://arstechnica.com:8123/tech-policy/2015/07/crypto-activists-
 announce-vision-for-tor-exit-relay-in-every-library/

 Here is an untampered header:
 {{{
 HTTP/1.1 301 Moved Permanently
 connection: close
 content-type: text/html; charset=UTF-8
 date: Sun, 04 Oct 2015 20:31:42 GMT
 location: http://arstechnica.com/tech-policy/2015/07/crypto-activists-
 announce-vision-for-tor-exit-relay-in-every-library/
 server: nginx
 set-cookie: country=US; path=/
 transfer-encoding: chunked
 x-ars-server: web03
 }}}
 And here is a tampered header. Notice that beyond the addition of ":8123",
 it also changed "Transfer-Encoding: chunked" to "Content-Length: 0".
 {{{
 HTTP/1.1 301 Moved Permanently
 connection: close
 content-length: 0
 content-type: text/html; charset=UTF-8
 date: Sun, 04 Oct 2015 20:37:30 GMT
 location: http://arstechnica.com:8123/tech-policy/2015/07/crypto-
 activists-announce-vision-for-tor-exit-relay-in-every-library/
 server: nginx
 set-cookie: country=NL; path=/
 x-ars-server: web09
 }}}

 I ran attachment:http-redirect.py three times in the past weeks.
  2015-10-04:: 54 bad exits
  2015-10-17:: 39 bad exits
  2015-11-10:: 8 bad exits

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17303#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #12538 [Tor]: Make all relays automatically be dir caches
Next by Author: Re: [tor-bugs] #17303 [DirAuth]: Bad exits inject port 8123 into HTTP redirects
Previous by thread: Re: [tor-bugs] #17582 [Tor Sysadmin Team]: Redirect press@xxxx to RT
Next by thread: Re: [tor-bugs] #17303 [DirAuth]: Bad exits inject port 8123 into HTTP redirects
Index(es):
- Author
- Thread