[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default

Max Jakob Maass max at velcommuta.de
Tue Jan 21 10:10:15 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 21.01.2014 11:08, Mike Cardwell wrote:
> * on the Tue, Jan 21, 2014 at 10:28:29AM +0100, Max Jakob Maass
> wrote:
> 
>> Christ. Chrome even allows to connect to other machines in LAN.
>> I successfully connected to my Raspberry Pi (only reachable via
>> LAN) by changing the IP in the source code from 127.0.0.1 to the
>> relevant IP.
>> 
>> So, appearently, Chrome allows you to enumerate the LAN and
>> interact with other machines in it. I'll see if there is a bug
>> report for that already.
>> 
>> Thanks for the Info, TT Security.
> 
> If you can use XMLHttpRequest to perform a request against a
> machine on your LAN that isn't using CORS, and then read the
> response, then there is a bug, and you will get a healthily sized
> cheque from Google or Mozilla for reporting it to them. If you
> can't read the response then there isn't a bug. What you're seeing
> is: how the web works.

Well, this happens if you don't have an apache ready to really test
this stuff and only use netcat. Thanks for the info, I'll show myself out.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJ8BAEBCgBmBQJS3keFXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEM0ODA5N0EzQUY3RDU1MTg5QTc3QUMx
NjlGOTYyNDM0MDg4MjVFAAoJEBafliQ0CIJe+X0P/jU0yAGGoP9tIXjZLk+I2doY
PZ7HEbjFJBcglaLD9r9S7wtUV5Y/K54Xo01Z2uMViT0zisJGMurnz4ITmFpc6JiN
wVDPRRr83R1lcrX9WQqUVrJgytk56+OsyjsK1vsw/24mpymGjIxvcs2Bjs+ac4tt
vG+eLclN5QMfu1wh5Rz63aadGiBqTZfdAXvtYr91WN1w/sfwSZzrPpwmOSBiwSl5
u+1y06UxgTgxWIxKZOzURBzomMoKTVDF7dx/w6rudTkDZIy4u1DYhmlKYp6sYK2G
5kF5YZaXCPEhT32s/yWSs8OGsZGOuY5hpRLi41PLqzczLTufRD98/uWKmDMS63X3
RrrUicYiqY27GR37d7CA5z7of7DlatDDEwY5UaiDxHa/I/6Zdp/k4jwzQl7d8J1i
zWIH3oIXopR8U93QHNiGMojjVMf6O6s0kMK+63UI07c7emHSOO8GhqyBfhxEPe+1
Far+5RDCszJAbEp2CFQIANsRZj9Ppbgoy9KKcjJb1YqqiFr4HF+oLmkaOt5o9XOA
nhm9de2fjOyZ6VwtFmJTwh+ymvfayTj85TAGi78IXOebf61EBINFnOXnoxSesBBT
33Tj6e2zc5N0V5c6qtHGB99R7Sj5U3Pklf3lDtMyCdJew7pwLm5gr5qEOAwi2d76
ZxGgA14bc5ILPlSVfZ7A
=YQ2B
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list