Insecure Privoxy Configuration in Vidalia Bundles Prior to 0.1.2.18

Fabian Keil freebsd-listen at fabiankeil.de
Wed Oct 31 17:47:35 UTC 2007 

"Kyle Williams" <kyle.kwilliams at gmail.com> wrote:

> On 10/31/07, Gregory Fleischer (Lists) <gfleischer.lists at gmail.com> wrote:

> > Versions of the Vidalia bundle prior to 0.1.2.18 install Privoxy with
> > an insecure configuration file.  Both Windows and Mac OS X versions
> > are affected.  The installed 'config.txt' file ('config' on Mac OS X)
> > had the following option values set to 1:
> >
> >    - enable-remote-toggle
> >    - enable-edit-actions
> >
> > Additionally, on Windows the following option was set to 1:
> >
> >    - enable-remote-http-toggle
> >
> > Malicious sites (or malicious exit nodes) could include active content
> > (e.g., JavaScript, Java, Flash) that caused the web browser to:
> >
> >    - make requests through the proxy that causes Privoxy filtering to
> >      be bypassed or completely disabled
> >
> >    - establish a direct connection from the web browser to the local
> >      proxy and modify the user defined configuration values

> I know what that code would be (cause I tried this awhile back), but I'm not
> going to be the one to post it.  Although anyone with basic HTML coding
> abilities and half a brain can figure it out.  And javascript/java/flash
> isn't required to make this happen.  It can be done with a simple IFRAME.
> But I'm not posting the one line of HTML code that would do this, no sir.
 
> We noted this a while back with JanusVM, but I don't think we documented the
> reasoning behind it.

Let me get this straight. A while ago, you found a vulnerability that
allows an attacker to change Privoxy's action files without relying on
the user to execute untrusted code, but decided not to report it to the
Privoxy Team and/or the people behind the Vidalia bundle and instead
only fixed it in your own Tor+Privoxy distribution?

Is there a remote chance that you could come around to
do the right thing and report it now?

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20071031/341d61ba/attachment.pgp>

More information about the tor-talk mailing list