[tor-bugs] #9636 [Tor]: Tor not fully passing input to CGI script

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Aug 31 10:14:09 UTC 2013 

#9636: Tor not fully passing input to CGI script
----------------------+---------------------
 Reporter:  hnaparst  |          Owner:
     Type:  defect    |         Status:  new
 Priority:  normal    |      Milestone:
Component:  Tor       |        Version:
 Keywords:            |  Actual Points:
Parent ID:            |         Points:
----------------------+---------------------
 As a hobby project, I thought I would create a public mailserver as a
 hidden service.  When I got to the part about creating a self-registration
 page, which I did as a CGI with compiled C, I ran into a bizarre problem.

 When accessing the registration service from the Tor Browser, either as a
 hidden service or directly through the IP address, the registration
 process fails because some of the information is not passed correctly to
 the CGI script.  The script completes successfully if you turn off the tor
 service in the browser or use another browser.

 The registration page is:  http://54.229.143.194/cgi-
 bin/vqregister/vqregister.cgi

 This is an Amazon instance, which I will leave on until this case is
 resolved.  If you wish, I can send you an AMI.

 For instance, trying to register an account with name, username, and
 password of foox results in Apache thinking that it only received 48
 characters: fname=foox&user=foox&dom=7wwgnynofwo7wodd.onion& instead of
 the full 86 characters
 fname=foox&user=foox&dom=7wwgnynofwo7wodd.onion&pass=foox&vpass=foox&Register=Register

 Oddly, the Apache script log correctly shows

 %% [Sat Aug 31 09:46:49 2013] POST /cgi-bin/vqregister/vqregister.cgi
 HTTP/1.1
 %% 500 /var/www/localhost/cgi-bin/vqregister/vqregister.cgi
 %request
 Host: 54.229.143.194
 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101
 Firefox/17.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-us,en;q=0.5
 Accept-Encoding: gzip, deflate
 Connection: keep-alive
 Referer: http://54.229.143.194/cgi-bin/vqregister/vqregister.cgi
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 86

 fname=foox&user=foox&dom=7wwgnynofwo7wodd.onion&pass=foox&vpass=foox&Register=Register
 %response

 I would conclude that it is an Apache misconfiguration, since the script
 log looks fine, except that this problem only occurs when using Tor.  It
 fails 100% of the time with Tor, and succeeds 100% of the time without
 Tor.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9636>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list