[tor-talk] Security issue
Yuri
yuri at rawbw.com
Tue Jan 21 00:05:39 UTC 2014
On 01/20/2014 14:53, tortestprivacy tortestprivacy wrote:
> I found a security issue in Tor.
> With Tor Browser Bundle default settings any web-site can access to
> local resources by JavaScript and XMLHttpRequest.
> For example ANY web-site can scan local ports sending a requests to
> http://127.0.0.1:port and see what port is opened.
> For example: http://127.0.0.1:80, http://127.0.0.1:8080 and any other
> ports.
> If some application listen some port it will be able to accept
> connections and responce to them. If it will be a local web-server any
> web-site that you visit can view html-pages on it even if all external
> incoming connections from Internet to this port are disabled by system
> firewall and only local connections from 127.0.0.1 are allowed.
I don't think browsers in general allow connections on loopback
interfaces, unless explicitly requested by users. If any of the browsers
do, this is a security violation irrelevant to tor.
If you are confident this is an issue with firefox, you should create a
PR for firefox project (in Mozilla bugzilla).
Yuri
More information about the tor-talk
mailing list