[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Security issue




Hello

I found a security issue in Tor.
With Tor Browser Bundle default settings any web-site can access to local resources by JavaScript and XMLHttpRequest.
For example ANY web-site can scan local ports sending a requests to http://127.0.0.1:port and see what port is opened.
For example: http://127.0.0.1:80, http://127.0.0.1:8080 and any other ports.
If some application listen some port it will be able to accept connections and responce to them. If it will be a local web-server any web-site that you visit can view html-pages on it even if all external incoming connections from Internet to this port are disabled by system firewall and only local connections from 127.0.0.1 are allowed.


The decision is turn on ABE (Application Boundaries Enforcer) by default in NoScript Add-On. Now it's disabled by default.
After this any web-site can't get access to http://127.0.0.1:port by JavaScript and XMLHttpRequest.

This rule will be added in NoScript by default if you turn on ABE:
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny


If you have default settings of Tor Browser Bundle, ABE is not turned on.
If so you can test what ports are opened on your computer for example here: http://tortestprivacy.url.ph/

Regards

--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk