[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Insecurities in Privoxy Configurations - Details

Hash: SHA1

At the end of October, updated Vidalia bundles were released that
addressed some insecurities in the Privoxy configuration in versions
prior to  A brief advisory was posted at the time [1].

Full details and sample exploit code are now available from [2].

For those impatient to get back to debating the finer points of the
law and legal responsibilities, here is the two minute version.

Privoxy has three configuration options of interest:

 - enable-remote-http-toggle
 - enable-remote-toggle
 - enable-edit-actions

1) If the 'enable-remote-http-toggle' option is set, any client side
   technology that can generate HTTP headers can bypass Privoxy
   content filtering by adding a header of: "X-Filter: No".

2) If the 'enable-remote-toggle' option is set, then any web browser
   vulnerabilities that can spoof HTTP Referer headers can be used to
   completely disable Privoxy filtering.

For Firefox and prior, the following HTML snippet is typically
sufficient to disable Privoxy:

<form name="pwn" target="_self" action="http://config.privoxy.org/";>
<script defer="defer">
setTimeout('document.forms["pwn"].submit()', 100);
alert("wait for it");
window.location = "http://config.privoxy.org/toggle?set=disable";;

3) If the 'enable-edit-actions' option is set, then any web browser
   vulnerability that can spoof HTTP Referer headers and determine the
   modification time of the 'user.action' file can modify the Privoxy

Most recent Vidalia bundles for Windows install the 'user.action' file
with a consistent file time.  If a user has never edited any actions,
then the time is known (usually within plus or minus one hour).  One
of the sample Privoxy filter rules includes actions that can be used
to block all web requests simply by specifying a URL value of "./".

Using Referer spoofing and the known modification time of the
'user.action' file, a malicious script could generate requests that
would completely block all user web traffic through Privoxy.

[1] http://archives.seul.org/or/talk/Oct-2007/msg00291.html
[2] http://pseudo-flaw.net/content/tor/vidalia-insecure-privoxy- configuration/

Version: GnuPG v1.4.7 (Darwin)