[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Persistent XSS vulnerability in TorStatus

To: <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [tor-talk] Persistent XSS vulnerability in TorStatus
From: TheGravitator <thegravitator@xxxxxxxxxxxxxx>
Date: Mon, 25 Apr 2011 17:42:25 +0100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 25 Apr 2011 12:42:42 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:message-id:from:to:references:subject:date :mime-version:content-type:content-transfer-encoding:x-priority :x-msmail-priority:x-mailer:disposition-notification-to:x-mimeole; bh=oxnwCZ0DW+taKT8zZsSfqcnB37/Fdmq+BlOyxgWf57Q=; b=jwiHUw9v4X+0fpvvR0oOdaVgg5Rp4CAqWNHXNTBpq0c4YzVjW4l8hpw6vVWj1BZriq gKiIkq1R4kFsP3hoamRNl+8ZLnul58WEF15w0AP7m/yjzGEgJCfTSx70Wt6GIdY9Xxb7 DTyO68AHc9HeFE56JAr0t9J/okdVj7AezhZ8w=
Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:from:to:references:subject:date:mime-version :content-type:content-transfer-encoding:x-priority:x-msmail-priority :x-mailer:disposition-notification-to:x-mimeole; b=ApADdb1J4NSliBJGUTt/DedFH6dYy7iKk15aIT2UQutacOdJM91sGdIbdnTWfPuqNU n8dBb2pcryHlS9WCpo2TYBLMi4/r1xnyd6ekajSl6fZ0xT3OAw2WFEjRfIVQK3ZxTVgn zt7KMaHVtSymfkxCikWg9AXGByPyd4wrY/bRA=
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <4DB305BF.6040906@xxxxxxxxx><006601cc032d$de344180$0201a8c0@warmachine> <4DB55413.9080901@xxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

----- Original Message ----- 
From: "tagnaq" <tagnaq@xxxxxxxxx>
To: <tor-talk@xxxxxxxxxxxxxxxxxxxx>
Sent: Monday, April 25, 2011 11:59 AM
Subject: Re: [tor-talk] Persistent XSS vulnerability in TorStatus


> > Thanks for this.. you might be interested to know that
co-incidentally I
> > had a nasty experience with one of these sites (don't know which
now)
> > running this code some 4-6 months ago.
>
> A search (grep) in the server descriptor archive starting with
> 2009-01-01 didn't show anything obviously nasty in the contact field -
> so if a TorStatus site contained something nasty in that time period
it
> probably wasn't this vulnerability.
> ...but TorStatus is not properly html encoding everywhere where it
should.
>

Yes, but you'd inject the script later and so not get caught.

> > I had to switch jscript on to
> > view the site
>
> TorStatus sites usually do not require JavaScript.
>

I think you'll find that when you need to order the output or filter it,
you need jscript on, if not in the code then that might explain it all.
Maybe there's a way these functions can be turned off by a jscript
injection, forcing the user to turn it on to sue them.

> > Do you reckon a jscript (code injection) vulnerability over Tor,
like
> > the one you uncovered, could lead to stack based attacks (the system
> > slow and re-boot) on WinNT/Win2k/WinXP systems, to insert such a
remote
> > control trojan as I have just removed?
>
> The vulnerability reported in the original posting (a web application
> not doing proper output encoding) has basically nothing to do with Tor
> beside the fact that the web application does show Tor nodes
information
> and the way how an attacker delivers its payload to the website.
>

Other than it allowed Tor exits to inject code "This leads
to a persistent cross-site scripting vulnerability where every Tor node
 operator can insert HTML/JavaScript on all vulnerable TorStatus
mirrors."

> So your question boils down to:
> Can one get compromised when browsing a website?
> Yes, you can.
.
Yes code injection can indeed can be achieved on the www... Q was, can
javascript, in this manner, take advantage of stack overflow
vulnerability, to implant trojans/viruses, I hguess you are saying yes
to this.

Thanks,

Cheers

>
> best regards,
> tagnaq
> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Persistent XSS vulnerability in TorStatus
  - From: tagnaq

References:
- [tor-talk] Persistent XSS vulnerability in TorStatus
  - From: tagnaq
- Re: [tor-talk] Persistent XSS vulnerability in TorStatus
  - From: TheGravitator
- Re: [tor-talk] Persistent XSS vulnerability in TorStatus
  - From: tagnaq

Prev by Author: Re: [tor-talk] Persistent XSS vulnerability in TorStatus
Next by Author: Re: [tor-talk] Dropbox over Tor feedback
Previous by thread: Re: [tor-talk] Persistent XSS vulnerability in TorStatus
Next by thread: Re: [tor-talk] Persistent XSS vulnerability in TorStatus
Index(es):
- Author
- Thread