[tor-bugs] #18782 [Tor Browser]: media tab in Page Info can bypass NoScript
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Apr 12 07:19:25 UTC 2016
#18782: media tab in Page Info can bypass NoScript
-------------------------+-----------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: needs_information
Priority: Very High | Milestone:
Component: Tor Browser | Version:
Severity: Critical | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------+-----------------------------------
Changes (by cypherpunks):
* priority: High => Very High
* severity: Major => Critical
Comment:
I just downloaded and ran a fresh copy of 5.5.4, en-us, hash
ebc24ad69a27531dac62c25f939d4028c5494c1759137a3a841e9e32619a3c71, which I
ran in both private and regular modes, and with security slider set to
High.
The only things I changed:
- though it isn't recommended, I ran it as root because reasons;
basically it is easier on my test system to do that and it was just to run
it once for the purpose of this test
- imported some bookmarks
No addons at all were imported, installed, or adjusted. Visiting the
website listed in the steps did indeed produce the bug. The IP-looking URL
was there along with a host of other addresses, all instantly previewable,
including the media player for that IP-based URL.
If you are running an unmodified version of the browser, these should be
your results as well. I have no idea why they aren't.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18782#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list