[tor-bugs] #10464 [Tor bundles/installation]: A security bug in NoScript in Tor Browser Bundle

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#10464: A security bug in NoScript in Tor Browser Bundle
--------------------------------------+-----------------------
 Reporter:  torar                     |          Owner:  erinn
     Type:  defect                    |         Status:  new
 Priority:  major                     |      Milestone:
Component:  Tor bundles/installation  |        Version:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
--------------------------------------+-----------------------
 Hi

 There's a bug in NoScript: If the user clicks on "Forbid Scripts
 Globally", scripts are disabled, except for one site: addons.mozilla.org.
 This site was automatically added to the NoScript whitelist.

 Note that this bug has security implications - a malicious exit node can
 redirect the user to addons.mozilla.org and then return any fake data
 (including some 0-day javascript exploit) as content of
 addons.mozilla.org. Thus, the user is vulnerable to javascript exploits,
 even if the user disables javascript by clicking on "Forbid Scripts
 Globally".

 There are other URLs in the whitelist, starting with about:, blob:,
 chrome:, resource: - they are hopefully not exploitable, but you should it
 check anyway - can, for example, some malicious site redirect the user to
 one of these whitelist URLs and use cross-site-scripting to run some
 javascript? I don't know.

 Please patch the NoScript add-on in the Tor Browser Bundle, so that it has
 empty whitelist.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10464>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs