[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
Olivier Cornu
o.cornu at riseup.net
Tue Jan 21 10:56:42 UTC 2014
Le 21/01/2014 10:58, Mike Cardwell a écrit :
> There is some misunderstanding of cross-origin policy here. Cross-origin
> policy does not prevent the cross-origin request from taking place. It
> only prevents you from being able to read the response.
Indeed. But being able to send requests to arbitrary *LAN* host:port and
get back discriminating answers allows easy scanning. A JS script might
scan the entire LAN, test firewall policies, and xhr the result back to
the originating website.
> There would be no point in preventing the request from taking place
> as people can initiate them already, without even using JavaScript.
> For example, the above request could have been made by just sticking
> this in some HTML:
>
> <img src="http://127.0.0.1:1234/">
Indeed, and detect timeouts/errors via javascript?
The XHR method seems to provide more information and a more reliable
interface for scanning/network fingerprinting though (you can even test
LAN web servers CORS policy) -- I haven't looked into it deep enough to
be sure.
I'm not sure how this is all a good default for regular browsing, yet it
is clearly unacceptable in a TBB context: it makes (FOXACID) LAN
fingerprinting a breeze.
--
Olivier Cornu
More information about the tor-talk
mailing list