[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Persistent XSS vulnerability in TorStatus

----- Original Message ----- 
From: "tagnaq" <tagnaq@xxxxxxxxx>
To: <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Sent: Monday, April 25, 2011 11:59 AM
Subject: Re: [tor-talk] Persistent XSS vulnerability in TorStatus

> > Thanks for this.. you might be interested to know that
co-incidentally I
> > had a nasty experience with one of these sites (don't know which
> > running this code some 4-6 months ago.
> A search (grep) in the server descriptor archive starting with
> 2009-01-01 didn't show anything obviously nasty in the contact field -
> so if a TorStatus site contained something nasty in that time period
> probably wasn't this vulnerability.
> ...but TorStatus is not properly html encoding everywhere where it

Yes, but you'd inject the script later and so not get caught.

> > I had to switch jscript on to
> > view the site
> TorStatus sites usually do not require JavaScript.

I think you'll find that when you need to order the output or filter it,
you need jscript on, if not in the code then that might explain it all.
Maybe there's a way these functions can be turned off by a jscript
injection, forcing the user to turn it on to sue them.

> > Do you reckon a jscript (code injection) vulnerability over Tor,
> > the one you uncovered, could lead to stack based attacks (the system
> > slow and re-boot) on WinNT/Win2k/WinXP systems, to insert such a
> > control trojan as I have just removed?
> The vulnerability reported in the original posting (a web application
> not doing proper output encoding) has basically nothing to do with Tor
> beside the fact that the web application does show Tor nodes
> and the way how an attacker delivers its payload to the website.

Other than it allowed Tor exits to inject code "This leads
to a persistent cross-site scripting vulnerability where every Tor node
 operator can insert HTML/JavaScript on all vulnerable TorStatus

> So your question boils down to:
> Can one get compromised when browsing a website?
> Yes, you can.
Yes code injection can indeed can be achieved on the www... Q was, can
javascript, in this manner, take advantage of stack overflow
vulnerability, to implant trojans/viruses, I hguess you are saying yes
to this.



> best regards,
> tagnaq
> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

tor-talk mailing list