"Kyle Williams" <kyle.kwilliams@xxxxxxxxx> wrote:
> On 10/31/07, Gregory Fleischer (Lists) <gfleischer.lists@xxxxxxxxx> wrote:
> > Versions of the Vidalia bundle prior to 0.1.2.18 install Privoxy with
> > an insecure configuration file. Both Windows and Mac OS X versions
> > are affected. The installed 'config.txt' file ('config' on Mac OS X)
> > had the following option values set to 1:
> >
> > - enable-remote-toggle
> > - enable-edit-actions
> >
> > Additionally, on Windows the following option was set to 1:
> >
> > - enable-remote-http-toggle
> >
> > Malicious sites (or malicious exit nodes) could include active content
> > (e.g., JavaScript, Java, Flash) that caused the web browser to:
> >
> > - make requests through the proxy that causes Privoxy filtering to
> > be bypassed or completely disabled
> >
> > - establish a direct connection from the web browser to the local
> > proxy and modify the user defined configuration values
> I know what that code would be (cause I tried this awhile back), but I'm not
> going to be the one to post it. Although anyone with basic HTML coding
> abilities and half a brain can figure it out. And javascript/java/flash
> isn't required to make this happen. It can be done with a simple IFRAME.
> But I'm not posting the one line of HTML code that would do this, no sir.
> We noted this a while back with JanusVM, but I don't think we documented the
> reasoning behind it.
Let me get this straight. A while ago, you found a vulnerability that
allows an attacker to change Privoxy's action files without relying on
the user to execute untrusted code, but decided not to report it to the
Privoxy Team and/or the people behind the Vidalia bundle and instead
only fixed it in your own Tor+Privoxy distribution?
Is there a remote chance that you could come around to
do the right thing and report it now?
Fabian
Attachment:
signature.asc
Description: PGP signature