[tor-bugs] #10464 [Tor bundles/installation]: A security bug in NoScript in Tor Browser Bundle
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Dec 22 01:26:18 UTC 2013
#10464: A security bug in NoScript in Tor Browser Bundle
--------------------------------------+-----------------------
Reporter: torar | Owner: erinn
Type: defect | Status: new
Priority: major | Milestone:
Component: Tor bundles/installation | Version:
Keywords: | Actual Points:
Parent ID: | Points:
--------------------------------------+-----------------------
Hi
There's a bug in NoScript: If the user clicks on "Forbid Scripts
Globally", scripts are disabled, except for one site: addons.mozilla.org.
This site was automatically added to the NoScript whitelist.
Note that this bug has security implications - a malicious exit node can
redirect the user to addons.mozilla.org and then return any fake data
(including some 0-day javascript exploit) as content of
addons.mozilla.org. Thus, the user is vulnerable to javascript exploits,
even if the user disables javascript by clicking on "Forbid Scripts
Globally".
There are other URLs in the whitelist, starting with about:, blob:,
chrome:, resource: - they are hopefully not exploitable, but you should it
check anyway - can, for example, some malicious site redirect the user to
one of these whitelist URLs and use cross-site-scripting to run some
javascript? I don't know.
Please patch the NoScript add-on in the Tor Browser Bundle, so that it has
empty whitelist.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10464>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list