[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Insecure Privoxy Configuration in Vidalia Bundles Prior to

"Kyle Williams" <kyle.kwilliams@xxxxxxxxx> wrote:

> On 10/31/07, Gregory Fleischer (Lists) <gfleischer.lists@xxxxxxxxx> wrote:

> > Versions of the Vidalia bundle prior to install Privoxy with
> > an insecure configuration file.  Both Windows and Mac OS X versions
> > are affected.  The installed 'config.txt' file ('config' on Mac OS X)
> > had the following option values set to 1:
> >
> >    - enable-remote-toggle
> >    - enable-edit-actions
> >
> > Additionally, on Windows the following option was set to 1:
> >
> >    - enable-remote-http-toggle
> >
> > Malicious sites (or malicious exit nodes) could include active content
> > (e.g., JavaScript, Java, Flash) that caused the web browser to:
> >
> >    - make requests through the proxy that causes Privoxy filtering to
> >      be bypassed or completely disabled
> >
> >    - establish a direct connection from the web browser to the local
> >      proxy and modify the user defined configuration values

> I know what that code would be (cause I tried this awhile back), but I'm not
> going to be the one to post it.  Although anyone with basic HTML coding
> abilities and half a brain can figure it out.  And javascript/java/flash
> isn't required to make this happen.  It can be done with a simple IFRAME.
> But I'm not posting the one line of HTML code that would do this, no sir.
> We noted this a while back with JanusVM, but I don't think we documented the
> reasoning behind it.

Let me get this straight. A while ago, you found a vulnerability that
allows an attacker to change Privoxy's action files without relying on
the user to execute untrusted code, but decided not to report it to the
Privoxy Team and/or the people behind the Vidalia bundle and instead
only fixed it in your own Tor+Privoxy distribution?

Is there a remote chance that you could come around to
do the right thing and report it now?


Attachment: signature.asc
Description: PGP signature