[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default

Olivier Cornu o.cornu at riseup.net
Tue Jan 21 10:56:42 UTC 2014


Le 21/01/2014 10:58, Mike Cardwell a écrit :
> There is some misunderstanding of cross-origin policy here. Cross-origin
> policy does not prevent the cross-origin request from taking place. It
> only prevents you from being able to read the response.

Indeed. But being able to send requests to arbitrary *LAN* host:port and
get back discriminating answers allows easy scanning. A JS script might
scan the entire LAN, test firewall policies, and xhr the result back to
the originating website.

> There would be no point in preventing the request from taking place
> as people can initiate them already, without even using JavaScript.
> For example, the above request could have been made by just sticking
> this in some HTML:
> 
> <img src="http://127.0.0.1:1234/">

Indeed, and detect timeouts/errors via javascript?
The XHR method seems to provide more information and a more reliable
interface for scanning/network fingerprinting though (you can even test
LAN web servers CORS policy) -- I haven't looked into it deep enough to
be sure.

I'm not sure how this is all a good default for regular browsing, yet it
is clearly unacceptable in a TBB context: it makes (FOXACID) LAN
fingerprinting a breeze.

--
Olivier Cornu


More information about the tor-talk mailing list