[tor-dev] Security issue
tortestprivacy tortestprivacy
tortestprivacy at ro.ru
Mon Jan 20 22:54:02 UTC 2014
Hello
I found a security issue in Tor.
With Tor Browser Bundle default settings any web-site can access to local resources by JavaScript and XMLHttpRequest.
For example ANY web-site can scan local ports sending a requests to http://127.0.0.1:port and see what port is opened.
For example: http://127.0.0.1:80, http://127.0.0.1:8080 and any other ports.
If some application listen some port it will be able to accept connections and responce to them. If it will be a local web-server any web-site that you visit can view html-pages on it even if all external incoming connections from Internet to this port are disabled by system firewall and only local connections from 127.0.0.1 are allowed.
The decision is turn on ABE (Application Boundaries Enforcer) by default in NoScript Add-On. Now it's disabled by default.
After this any web-site can't get access to http://127.0.0.1:port by JavaScript and XMLHttpRequest.
This rule will be added in NoScript by default if you turn on ABE:
# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
If you have default settings of Tor Browser Bundle, ABE is not turned on.
If so you can test what ports are opened on your computer for example here: http://tortestprivacy.url.ph/
Regards
More information about the tor-dev
mailing list