[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default

Max Jakob Maass max at velcommuta.de
Tue Jan 21 09:21:51 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Interestingly enough, my Linux FF 26.0 running NoScript does _not_
allow connections, even when NoScript is allowing everything globally.

Max

On 21.01.2014 10:18, Max Jakob Maass wrote:
> I see the same behaviour with the latest Chrome running Linux:
> 
> $ nc -l -p 1234 GET / HTTP/1.1 Host: 127.0.0.1:1234 Connection:
> keep-alive User-Agent: Mozilla/5.0 (X11; Linux x86_64)
> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.77
> Safari/537.36 Origin: http://tortestprivacy.url.ph Accept: */* DNT:
> 1 Referer: http://tortestprivacy.url.ph/ Accept-Encoding:
> gzip,deflate,sdch Accept-Language: en-US,en;q=0.8,de;q=0.6
> 
> So, appearently, Google does not enforce a same origin policy on
> this, either.
> 
> On 21.01.2014 10:01, Olivier Cornu wrote:
>> Le 21/01/2014 05:06, TT Security a écrit :
>>> 
>>>> I don't think browsers in general allow connections on 
>>>> loopback interfaces, unless explicitly requested by users.
>>> 
>>> I have Tor Browser Bundle 3.5 and Firefox 24.2.0 from there.
>>> Just open some port on your computer(only for testing) for
>>> example local web-server and try with Firefox from Tor Browser
>>> Bundle this page: http://tortestprivacy.url.ph/ You will see
>>> :)
> 
>> Fwiw, I can confirm this unfortunate behavior. :( TBB connecting
>> to loopback netcat socket from tortestprivacy.url.ph javascript:
> 
>> $ nc -l -p 1234 GET / HTTP/1.1 Host: 127.0.0.1:1234 User-Agent: 
>> Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko/20100101 
>> Firefox/26.0 Accept: 
>> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
>> Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3 
>> Accept-Encoding: gzip, deflate DNT: 1 Referer: 
>> http://tortestprivacy.url.ph/ Origin:
>> http://tortestprivacy.url.ph Connection: keep-alive
> 
>> -- Olivier Cornu
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJ8BAEBCgBmBQJS3jwvXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEM0ODA5N0EzQUY3RDU1MTg5QTc3QUMx
NjlGOTYyNDM0MDg4MjVFAAoJEBafliQ0CIJeT+MP/2xo1Cc6xpVkMyeuWvA/vzLm
mh94HNdthW9wbL36GZ+RWYjTrUQvytKRJbLBZ5K2JuS02hwE517qDKpmjv+o0Lg7
i7rjM8dcj3k24bRlwKTndtoL9+eR+jHCX0WxzdSCmc4olpku1IrjOEbZG0wCl2q+
9y0giEV9oiAxjTQVJmyDF49VM9nU0TCzgZ0r3P4XiLBY1OMg6XQHPQrm/9bYNRNs
VbXf2LB8y4fJTK/meaERVXDs9PpoM8mYIv1WurKXKOAbiys0sx1s6pgWSOtdjP6+
6etyD3FnKrOPfZgQsf2EA7pccASSd54PGjOP1bwSR2StJAR2m8de01RaUp3cF10Z
OnP2An0qetI3jmvjrvvKvZv0zBS8qY2IS1CBvXwhDrzFfpc9BpCPgKcK8Vg/oyH3
q2tE4/Kut5q5mIjy337wYP1vSrTQIOYgIvqRqSeugGWiC1uBmA3usnWpibC5CJq6
pxkdgtG5qNX91o9CM74hT/CG+b1VOjDMEBoBUUrjjcZGBE1quMG7nonkHM4M4ctZ
BcmQFcyCR5Lijzy/MAhs3NAMml56wXisEce6UJ0XWb1yBL2fnpVKW2SeMiqEo9g7
bjowBUWZhN9uDAHCvKp1qnGbsk6xMHzwrnw91AZyoPAq37kMih8mrajEKQ3TEAyd
Q+xjlQCr2CRJtNHBviri
=Z36p
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list