[tor-talk] Persistent XSS vulnerability in TorStatus

TheGravitator thegravitator at googlemail.com
Mon Apr 25 16:42:25 UTC 2011


----- Original Message ----- 
From: "tagnaq" <tagnaq at gmail.com>
To: <tor-talk at lists.torproject.org>
Sent: Monday, April 25, 2011 11:59 AM
Subject: Re: [tor-talk] Persistent XSS vulnerability in TorStatus


> > Thanks for this.. you might be interested to know that
co-incidentally I
> > had a nasty experience with one of these sites (don't know which
now)
> > running this code some 4-6 months ago.
>
> A search (grep) in the server descriptor archive starting with
> 2009-01-01 didn't show anything obviously nasty in the contact field -
> so if a TorStatus site contained something nasty in that time period
it
> probably wasn't this vulnerability.
> ...but TorStatus is not properly html encoding everywhere where it
should.
>

Yes, but you'd inject the script later and so not get caught.

> > I had to switch jscript on to
> > view the site
>
> TorStatus sites usually do not require JavaScript.
>

I think you'll find that when you need to order the output or filter it,
you need jscript on, if not in the code then that might explain it all.
Maybe there's a way these functions can be turned off by a jscript
injection, forcing the user to turn it on to sue them.

> > Do you reckon a jscript (code injection) vulnerability over Tor,
like
> > the one you uncovered, could lead to stack based attacks (the system
> > slow and re-boot) on WinNT/Win2k/WinXP systems, to insert such a
remote
> > control trojan as I have just removed?
>
> The vulnerability reported in the original posting (a web application
> not doing proper output encoding) has basically nothing to do with Tor
> beside the fact that the web application does show Tor nodes
information
> and the way how an attacker delivers its payload to the website.
>

Other than it allowed Tor exits to inject code "This leads
to a persistent cross-site scripting vulnerability where every Tor node
 operator can insert HTML/JavaScript on all vulnerable TorStatus
mirrors."

> So your question boils down to:
> Can one get compromised when browsing a website?
> Yes, you can.
.
Yes code injection can indeed can be achieved on the www... Q was, can
javascript, in this manner, take advantage of stack overflow
vulnerability, to implant trojans/viruses, I hguess you are saying yes
to this.

Thanks,

Cheers

>
> best regards,
> tagnaq
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk



More information about the tor-talk mailing list