[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Security issue
On 01/20/2014 14:53, tortestprivacy tortestprivacy wrote:
I found a security issue in Tor.
With Tor Browser Bundle default settings any web-site can access to
local resources by JavaScript and XMLHttpRequest.
For example ANY web-site can scan local ports sending a requests to
http://127.0.0.1:port and see what port is opened.
For example: http://127.0.0.1:80, http://127.0.0.1:8080 and any other
ports.
If some application listen some port it will be able to accept
connections and responce to them. If it will be a local web-server any
web-site that you visit can view html-pages on it even if all external
incoming connections from Internet to this port are disabled by system
firewall and only local connections from 127.0.0.1 are allowed.
I don't think browsers in general allow connections on loopback
interfaces, unless explicitly requested by users. If any of the browsers
do, this is a security violation irrelevant to tor.
If you are confident this is an issue with firefox, you should create a
PR for firefox project (in Mozilla bugzilla).
Yuri
--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk