[tor-talk] Persistent XSS vulnerability in TorStatus
thegravitator at googlemail.com
Mon Apr 25 16:42:25 UTC 2011
----- Original Message -----
From: "tagnaq" <tagnaq at gmail.com>
To: <tor-talk at lists.torproject.org>
Sent: Monday, April 25, 2011 11:59 AM
Subject: Re: [tor-talk] Persistent XSS vulnerability in TorStatus
> > Thanks for this.. you might be interested to know that
> > had a nasty experience with one of these sites (don't know which
> > running this code some 4-6 months ago.
> A search (grep) in the server descriptor archive starting with
> 2009-01-01 didn't show anything obviously nasty in the contact field -
> so if a TorStatus site contained something nasty in that time period
> probably wasn't this vulnerability.
> ...but TorStatus is not properly html encoding everywhere where it
Yes, but you'd inject the script later and so not get caught.
> > I had to switch jscript on to
> > view the site
I think you'll find that when you need to order the output or filter it,
you need jscript on, if not in the code then that might explain it all.
Maybe there's a way these functions can be turned off by a jscript
injection, forcing the user to turn it on to sue them.
> > Do you reckon a jscript (code injection) vulnerability over Tor,
> > the one you uncovered, could lead to stack based attacks (the system
> > slow and re-boot) on WinNT/Win2k/WinXP systems, to insert such a
> > control trojan as I have just removed?
> The vulnerability reported in the original posting (a web application
> not doing proper output encoding) has basically nothing to do with Tor
> beside the fact that the web application does show Tor nodes
> and the way how an attacker delivers its payload to the website.
Other than it allowed Tor exits to inject code "This leads
to a persistent cross-site scripting vulnerability where every Tor node
> So your question boils down to:
> Can one get compromised when browsing a website?
> Yes, you can.
Yes code injection can indeed can be achieved on the www... Q was, can
vulnerability, to implant trojans/viruses, I hguess you are saying yes
> best regards,
> tor-talk mailing list
> tor-talk at lists.torproject.org
More information about the tor-talk