[tor-bugs] #5477 [EFF-HTTPS Everywhere]: Critical security vulnerability is caused by HTTPS-Everywhere enabled
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Tue Apr 17 06:14:10 UTC 2012
#5477: Critical security vulnerability is caused by HTTPS-Everywhere enabled
------------------------------------------------------+---------------------
Reporter: Drugoy | Owner: pde
Type: defect | Status: new
Priority: critical | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: address spoofing, critical vulnerability | Parent:
Points: | Actualpoints:
------------------------------------------------------+---------------------
Comment(by pde):
So at this URL is a modified version of Drugoy's page:
http://ww2.cs.mu.oz.au/~pde/bugs/5477-tst.html
It does the same thing when you click the button, with the addition of an
alert that says "frogs". Visited without HTTPS Everywhere, the alert goes
off. With HTTPS Everywhere, the iframe appears to replace the whole
window, despite what one sees after "view source". In particular, there
is no frogs alert.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5477#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list