[tor-bugs] #17303 [DirAuth]: Bad exits inject port 8123 into HTTP redirects

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Nov 10 23:21:50 UTC 2015


#17303: Bad exits inject port 8123 into HTTP redirects
----------------------+----------------------------------
 Reporter:  ikurua22  |          Owner:
     Type:  defect    |         Status:  new
 Priority:  High      |      Milestone:  Tor: unspecified
Component:  DirAuth   |        Version:  Tor: unspecified
 Severity:  Critical  |     Resolution:
 Keywords:            |  Actual Points:
Parent ID:            |         Points:
  Sponsor:            |
----------------------+----------------------------------

Comment (by dcf):

 Here is what I have been able to find about these exits.

 They seem to only affect plain HTTP redirects. For example, the URL
   http://arstechnica.com/?p=716619
 should redirect to the URL
   http://arstechnica.com/tech-policy/2015/07/crypto-activists-announce-
 vision-for-tor-exit-relay-in-every-library/
 but some exits instead rewrite the URL to be
   http://arstechnica.com:8123/tech-policy/2015/07/crypto-activists-
 announce-vision-for-tor-exit-relay-in-every-library/

 Here is an untampered header:
 {{{
 HTTP/1.1 301 Moved Permanently
 connection: close
 content-type: text/html; charset=UTF-8
 date: Sun, 04 Oct 2015 20:31:42 GMT
 location: http://arstechnica.com/tech-policy/2015/07/crypto-activists-
 announce-vision-for-tor-exit-relay-in-every-library/
 server: nginx
 set-cookie: country=US; path=/
 transfer-encoding: chunked
 x-ars-server: web03
 }}}
 And here is a tampered header. Notice that beyond the addition of ":8123",
 it also changed "Transfer-Encoding: chunked" to "Content-Length: 0".
 {{{
 HTTP/1.1 301 Moved Permanently
 connection: close
 content-length: 0
 content-type: text/html; charset=UTF-8
 date: Sun, 04 Oct 2015 20:37:30 GMT
 location: http://arstechnica.com:8123/tech-policy/2015/07/crypto-
 activists-announce-vision-for-tor-exit-relay-in-every-library/
 server: nginx
 set-cookie: country=NL; path=/
 x-ars-server: web09
 }}}

 I ran attachment:http-redirect.py three times in the past weeks.
  2015-10-04:: 54 bad exits
  2015-10-17:: 39 bad exits
  2015-11-10:: 8 bad exits

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17303#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list