[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
TT Security
tortestprivacy at ro.ru
Tue Jan 21 04:06:11 UTC 2014
Hi Yuri
>I don't think browsers in general allow connections on loopback
>interfaces, unless explicitly requested by users. If any of the browsers
>do, this is a security violation irrelevant to tor.
>If you are confident this is an issue with firefox, you should create a
>PR for firefox project (in Mozilla bugzilla).
>
>Yuri
Maybe you'll be suprised but Firefox by default allow connections to loopback interfaces if there is no disabled rule in firewall settings. NoScript Add-On can solve the problem by ABE.
I have Tor Browser Bundle 3.5 and Firefox 24.2.0 from there.
Just open some port on your computer(only for testing) for example local web-server and try with Firefox from Tor Browser Bundle this page: http://tortestprivacy.url.ph/
You will see :) (ABE must be turned off, as by default)
TT Security.
More information about the tor-talk
mailing list