[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default

Max Jakob Maass max at velcommuta.de
Tue Jan 21 09:18:26 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I see the same behaviour with the latest Chrome running Linux:

$ nc -l -p 1234
GET / HTTP/1.1
Host: 127.0.0.1:1234
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/32.0.1700.77 Safari/537.36
Origin: http://tortestprivacy.url.ph
Accept: */*
DNT: 1
Referer: http://tortestprivacy.url.ph/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,de;q=0.6

So, appearently, Google does not enforce a same origin policy on this,
either.

On 21.01.2014 10:01, Olivier Cornu wrote:
> Le 21/01/2014 05:06, TT Security a écrit :
>> 
>>> I don't think browsers in general allow connections on
>>> loopback interfaces, unless explicitly requested by users.
>> 
>> I have Tor Browser Bundle 3.5 and Firefox 24.2.0 from there. Just
>> open some port on your computer(only for testing) for example
>> local web-server and try with Firefox from Tor Browser Bundle
>> this page: http://tortestprivacy.url.ph/ You will see :)
> 
> Fwiw, I can confirm this unfortunate behavior. :( TBB connecting to
> loopback netcat socket from tortestprivacy.url.ph javascript:
> 
> $ nc -l -p 1234 GET / HTTP/1.1 Host: 127.0.0.1:1234 User-Agent:
> Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101
> Firefox/26.0 Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
> Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 
> Accept-Encoding: gzip, deflate DNT: 1 Referer:
> http://tortestprivacy.url.ph/ Origin: http://tortestprivacy.url.ph 
> Connection: keep-alive
> 
> -- Olivier Cornu
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJ8BAEBCgBmBQJS3jtgXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEM0ODA5N0EzQUY3RDU1MTg5QTc3QUMx
NjlGOTYyNDM0MDg4MjVFAAoJEBafliQ0CIJe2pkP/RwQdxu+NqVfwd9RAj6gGIHd
j24P19ci8Q1wTGsVh0Ci9bMUrJ/l3q3HohQZeQVYIGNiQKlioTe8qifloC2PGuO+
18Nrp7rdV7hw1qNY9ME89v9AEaLrk3f+p340DYM3JxPC1rpfUdzROKuSvqoHVozY
Upo+j7iZnF95ZQghp3lGXUYbtcirwMGRN6RwE6ngEdDEe3YIEAN5s9Zo0wcMw4I+
u8B2X5vyjZqfrVRgR4dOzqifTJnfyZTfPldvuGZ2WVV4GKDuVnRJveHSZtzRdGv0
hhILrmxBmCgJpJtTLowOOHIKlf2gPwQE1gqKuhvVaHF8w6gdqx36M/Do3GCRt6D4
R9+pEBJUKL+KUZQCINwEFSVclsBqF9EXEXiZkmCVvFEp+KDU/losY0gTKIY1LmCz
MqJiRdHukaSfAmeFkohCJDkhf3AjYhye9Oo/3u2iSCHMa9oDXrH+MQ4L/xhXo6Pb
e7ATh+L/ZNi10abGoOYJOTj1d+a9qd8U+CtTowR3R3+lewOvCReDaj45gu2m0zuZ
AJsgassleJ21dXEOcVjbnaCI2FyvbQZRwwu96Dao1WTIkkAugDKHnZzitoQxM6AM
8R/1K6M5mPlweRE4RfHS3dJPkzF/dKhNZOg7KMQdLbiD4RFTR0ELr4zrjmoisasb
ixKnhVk1Zhp2835Dw+yf
=n+gx
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list