<br><br><div><span class="gmail_quote">On 10/31/07, <b class="gmail_sendername">Gregory Fleischer (Lists)</b> <<a href="mailto:gfleischer.lists@gmail.com">gfleischer.lists@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br>Versions of the Vidalia bundle prior to <a href="http://0.1.2.18">0.1.2.18</a> install Privoxy with<br>an insecure configuration file. Both Windows and Mac OS X versions
<br>are affected. The installed 'config.txt' file ('config' on Mac OS X)<br>had the following option values set to 1:<br><br> - enable-remote-toggle<br> - enable-edit-actions<br><br>Additionally, on Windows the following option was set to 1:
<br><br> - enable-remote-http-toggle<br><br>Malicious sites (or malicious exit nodes) could include active content<br>(e.g., JavaScript, Java, Flash) that caused the web browser to:<br><br> - make requests through the proxy that causes Privoxy filtering to
<br> be bypassed or completely disabled<br><br> - establish a direct connection from the web browser to the local<br> proxy and modify the user defined configuration values<br><br>The Privoxy documentation recommends against enabling these options in
<br>multi-user environments or when dealing with untrustworthy clients.<br>However, the documentation does not mention that client-side<br>web browser scripts or vulnerabilities could be exploited as well.<br><br>It should be noted that using Tor is not a prerequisite for some of
<br>these attacks to be successful. Users of Tor may be at greater risk,<br>because malicious exit nodes can inject content into otherwise trusted<br>sites.<br><br>In order to allow time for people to upgrade, additional attack
<br>details and sample code will be withheld for a couple of days.<br><br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.4.7 (Darwin)<br><br>iD8DBQFHKKB6WbVJrJm/lrsRApQLAKC5FRcVsCuBBxtSxnmbl0ihixaX3gCfZHZ8<br>gwXIIv2LUswWy1bSwg5CJU4=
<br>=ZSdL<br>-----END PGP SIGNATURE-----<br></blockquote></div><br><br>I know what that code would be (cause I tried this awhile back), but I'm not going to be the one to post it. Although anyone with basic HTML coding abilities and half a brain can figure it out. And javascript/java/flash isn't required to make this happen. It can be done with a simple IFRAME. But I'm not posting the one line of HTML code that would do this, no sir.
<br><br>We noted this a while back with JanusVM, but I don't think we documented the reasoning behind it. <br>(Cue Roger giving a friendly reminder to get more documentation and source code produced ;-)<br><br>First we disabled those options for obvious reasons.
<br>Then we enabled them because a couple of users wanted more control. <br>Then we disabled them again because that level of control can be accessed from the console if they really want it.<br><br>Fun times.<br><br>