[tor-talk] Abusing resource:// uri in Firefox Browser

Asa Rossoff asa at lovetour.info
Sun Apr 21 15:35:06 UTC 2013


I tested the example exploit URL in the Firefox ticket using both Firefox
Aurora 22.0a2 (2013-4-12) and Tor Browser Firefox ESR 17.0.4
(tor-pluggable-transports-browser-2.4.11-alpha-2_en-US Windows package).

Using Firefox Aurora, the exploit failed and was not able to access
resource:// URLs at all.
Using the Tor Browser mentioned, it succeeded to the extent that it was able
to determine my Browser was Firefox.  I had to enable scripts for that site
in order for it to gain any more information, at which time it could
identify all the other info it tried to including the fact that I was using
Tor Browser.

The most of the resource URIs used by the example exploit page/script (and
many more) were valid LOCALLY in Aurora, but the remote exploit failed to
access them.

In Tor Browser, the exploit succeeded to varying degrees depending on
whether NoScript blocked the script or not.

Is this an issue of using too old of a Firefox version for Tor Browser?

Asa

-----Original Message-----
From: tor-talk-bounces at lists.torproject.org
[mailto:tor-talk-bounces at lists.torproject.org] On Behalf Of Griffin Boyce
Sent: Thursday, April 18, 2013 7:51 PM
To: tor-talk at lists.torproject.org
Subject: Re: [tor-talk] Abusing resource:// uri in Firefox Browser

  It's in the ticket system as #8725, and I was able to duplicate this bug.
 Somehow preventing outside resource_uri access or pretending to be a
non-firefox browser would obviate this quirk.

https://trac.torproject.org/projects/tor/ticket/8725

~Griffin
_______________________________________________
tor-talk mailing list
tor-talk at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk


More information about the tor-talk mailing list