Insecure Privoxy Configuration in Vidalia Bundles Prior to 0.1.2.18

Kyle Williams kyle.kwilliams at gmail.com
Wed Oct 31 16:11:55 UTC 2007


On 10/31/07, Gregory Fleischer (Lists) <gfleischer.lists at gmail.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Versions of the Vidalia bundle prior to 0.1.2.18 install Privoxy with
> an insecure configuration file.  Both Windows and Mac OS X versions
> are affected.  The installed 'config.txt' file ('config' on Mac OS X)
> had the following option values set to 1:
>
>    - enable-remote-toggle
>    - enable-edit-actions
>
> Additionally, on Windows the following option was set to 1:
>
>    - enable-remote-http-toggle
>
> Malicious sites (or malicious exit nodes) could include active content
> (e.g., JavaScript, Java, Flash) that caused the web browser to:
>
>    - make requests through the proxy that causes Privoxy filtering to
>      be bypassed or completely disabled
>
>    - establish a direct connection from the web browser to the local
>      proxy and modify the user defined configuration values
>
> The Privoxy documentation recommends against enabling these options in
> multi-user environments or when dealing with untrustworthy clients.
> However, the documentation does not mention that client-side
> web browser scripts or vulnerabilities could be exploited as well.
>
> It should be noted that using Tor is not a prerequisite for some of
> these attacks to be successful.  Users of Tor may be at greater risk,
> because malicious exit nodes can inject content into otherwise trusted
> sites.
>
> In order to allow time for people to upgrade, additional attack
> details and sample code will be withheld for a couple of days.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (Darwin)
>
> iD8DBQFHKKB6WbVJrJm/lrsRApQLAKC5FRcVsCuBBxtSxnmbl0ihixaX3gCfZHZ8
> gwXIIv2LUswWy1bSwg5CJU4=
> =ZSdL
> -----END PGP SIGNATURE-----
>


I know what that code would be (cause I tried this awhile back), but I'm not
going to be the one to post it.  Although anyone with basic HTML coding
abilities and half a brain can figure it out.  And javascript/java/flash
isn't required to make this happen.  It can be done with a simple IFRAME.
But I'm not posting the one line of HTML code that would do this, no sir.

We noted this a while back with JanusVM, but I don't think we documented the
reasoning behind it.
(Cue Roger giving a friendly reminder to get more documentation and source
code produced ;-)

First we disabled those options for obvious reasons.
Then we enabled them because a couple of users wanted more control.
Then we disabled them again because that level of control can be accessed
from the console if they really want it.

Fun times.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20071031/d43e20c9/attachment.htm>


More information about the tor-talk mailing list