[tor-bugs] #23574 [Internal Services/Tor Sysadmin Team]: Don't allow text injection in our 404 page
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Sep 19 06:17:47 UTC 2017
#23574: Don't allow text injection in our 404 page
-----------------------------------------------------+-----------------
Reporter: gk | Owner: tpa
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-----------------------------------------------------+-----------------
We got a report on HackerOne by sumitthehacker:
{{{
i want to report a text injection and a misconfiguration of the 404 page
the bug exists at :
https://www.torproject.org/test/%2f../It%20has%20been%20changed%20by%20a%20new%20one%20https://www.Attacker.com%20so%20go%20to%20the%20new%20one%20since%20this%20one
as you can see attacker text is included
"It has been changed by a new one https://www.attacker.com so go to the
new one since this one was not found on this server."
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23574>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list