[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default

Max Jakob Maass max at velcommuta.de
Tue Jan 21 12:18:21 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 21.01.2014 12:38, Olivier Cornu wrote:
> Le 21/01/2014 11:30, Yuri a écrit :
>> 
>> I just tried stock Firefox 26.0 version, and it doesn't allow
>> loopback access (FreeBSD version). I don't have firewall. So it
>> must be an issue with the earlier FF, or maybe with TBB
>> modifications to it. Chrome-31 is also free of this problem.
> 
> Loopback (and LAN I bet) is accessible with TBB, FF and Chromium
> on Linux (Ubuntu). Platform specific behaviors?
> 
> Anyway, the more I think about it, the more I see this as a TBB
> bug: TBB is leaking non-Tor connections on client LAN. As I
> understand it, current behavior is too clever and too liberal: 
> instead of allowing non-Tor connections to LAN hosts, supposedly
> because they are safe, it should block them as a default.
Tor actually rejected my attempted XMLHttpRequest to a non-loopback
address (Log-Message stating that the SocksProxy did not allow local
connections). But then again, it also did not successfully receive
data from localhost:80 (nc showed something, but the testing site gave
an error message when trying to connect to my apache2 on port 80). Did
it behave differently for you?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJ8BAEBCgBmBQJS3mWNXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEM0ODA5N0EzQUY3RDU1MTg5QTc3QUMx
NjlGOTYyNDM0MDg4MjVFAAoJEBafliQ0CIJe+tEP/2mkp53yndSrT0LLCsznYNU6
bfwopHSSTiDD3iqr6fzzGIjP7IfnaBdUlnoY+2PHq4lSPygF7sGbn7wd47RxnLFA
8DmJG8rsYfMqOA0FfZ4GrDdwyZvlVjhtmfe8wY5Tdf85xauc+8DbHS0nrcvlHPIv
r6fPjLsIIjTT18N4YMK7bKMPkmzOzf3hymwLf+sjQuO3NjnBpkiO/C4W6M2iptFX
rLGjbycANetPkPTqjanhDpSEwOc83SsyfW+jjOFbTY7u4m7RbF2Hr67eMStzQZ+p
iuhVkh60oualFIgUGQ+gPkI1uVPfuHeu1LeRykvfptw5I2jEoFfIB+gpQI+Xsh5U
iCLAbP2J1cr4FYHCFL4WKdcYSM4oN/olyeyiEt33DkR4Eu4K1vbGtG8uzJyLfXqW
U3KHw/Kqz3zIFryD+C1JpuZqDocR4vGiQH94EFY69nkOnUyfa7iW5iJK0TMK6ZoN
VU2Xse2EOzll8ZBCWRB/AeWn6DJO4IvVrJHGHf9VRlv3hbIKYX0So9NxjlfBW231
ZcdE1akLOi+1Pf/12riM0RjAVJkjUtbA6UQ9HOvcw4ZFEigfG6g4oUHWuM4A4JjW
eldopfhvdQQ7l8kFjtYyLz8qJwB/VZht3vuMeh8PCydsimxO911VEbXUsPYC3w1P
fpVPIHb4wCCqCg279xBz
=EuWN
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list