Insecurities in Privoxy Configurations - Details

Gregory Fleischer (Lists) gfleischer.lists at gmail.com
Thu Nov 29 18:13:08 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At the end of October, updated Vidalia bundles were released that
addressed some insecurities in the Privoxy configuration in versions
prior to 0.1.2.18.  A brief advisory was posted at the time [1].

Full details and sample exploit code are now available from [2].

For those impatient to get back to debating the finer points of the
law and legal responsibilities, here is the two minute version.

Privoxy has three configuration options of interest:

  - enable-remote-http-toggle
  - enable-remote-toggle
  - enable-edit-actions

1) If the 'enable-remote-http-toggle' option is set, any client side
    technology that can generate HTTP headers can bypass Privoxy
    content filtering by adding a header of: "X-Filter: No".

2) If the 'enable-remote-toggle' option is set, then any web browser
    vulnerabilities that can spoof HTTP Referer headers can be used to
    completely disable Privoxy filtering.

For Firefox 2.0.0.9 and prior, the following HTML snippet is typically
sufficient to disable Privoxy:

<form name="pwn" target="_self" action="http://config.privoxy.org/">
</form>
<script defer="defer">
setTimeout('document.forms["pwn"].submit()', 100);
alert("wait for it");
window.location = "http://config.privoxy.org/toggle?set=disable";
</script>

3) If the 'enable-edit-actions' option is set, then any web browser
    vulnerability that can spoof HTTP Referer headers and determine the
    modification time of the 'user.action' file can modify the Privoxy
    configuration.

Most recent Vidalia bundles for Windows install the 'user.action' file
with a consistent file time.  If a user has never edited any actions,
then the time is known (usually within plus or minus one hour).  One
of the sample Privoxy filter rules includes actions that can be used
to block all web requests simply by specifying a URL value of "./".

Using Referer spoofing and the known modification time of the
'user.action' file, a malicious script could generate requests that
would completely block all user web traffic through Privoxy.

[1] http://archives.seul.org/or/talk/Oct-2007/msg00291.html
[2] http://pseudo-flaw.net/content/tor/vidalia-insecure-privoxy- 
configuration/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iD8DBQFHTwE0WbVJrJm/lrsRAkqgAKCDeFXZ5FQZYU/eFRhdmUNNMnPZLACg9smu
1cKofQuX3N03Op/ZMLRQ45M=
=H0zA
-----END PGP SIGNATURE-----

More information about the tor-talk mailing list