[tor-relays] Persistent XSS vulnerability in TorStatus
tagnaq
tagnaq at gmail.com
Sat Apr 23 17:00:47 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
"TorStatus is a website display used to summarize metrics about the Tor
Network. It's a precursor to http://metrics.torproject.org. The code
repository is at
https://svn.torproject.org/svn/torstatus/. Example running sites are
http://torstatus.blutmagie.de/ [...]"
Note: TorStatus is not a Tor Project product and is not maintained.
Vulnerability
- -------------
DisplayRouterRow() in index.php prints the contact information string
from a server descriptor - defined via 'ContactInfo' in torrc by a node
operator - into the HTML page without proper output encoding. This leads
to a persistent cross-site scripting vulnerability where every Tor node
operator can insert HTML/JavaScript on all vulnerable TorStatus mirrors.
The contact information column is only included in the HTML page if the
end-user (browsing a TorStatus mirror) adds the contact column
via "Advanced Display Options" (column_set.php), the contact column is
not included by default. An attacker might set the displayed columns for
a victim via CSRF.
A simple search in the server descriptors of the last two months did not
reveal an obvious exploitation in that time period. The simple search
used is not suitable to give a clear answer.
[grep -hir ^contact * |egrep -i '(script|src)']
Affected Versions
- -----------------
4.0
3.6.1
3.6
3.5
3.4.2
3.4.1
and probably others
Solution
- --------
The attached patch was committed to the svn (revision r24666).
https://svn.torproject.org/svn/torstatus/
Thanks to Robert, Andrew, Olaf, Damian and Sebastian.
-----BEGIN PGP SIGNATURE-----
iF4EAREKAAYFAk2zBb4ACgkQyM26BSNOM7YE8gD9HzwAZ1rfUDM+GLxjFfo0o1R7
A5l2MPddbmPlr+d23oYA/1m8VI3bbG9RXvao453j2Yyqix/iJ01rJbLP63PtWShw
=Ay2T
-----END PGP SIGNATURE-----
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: index.php.patch
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20110423/65d0404b/attachment.asc>
More information about the tor-relays
mailing list