[tor-talk] Security issue. Firefox in Tor Browser Bundle allows access to LAN resources. To fix: ABE of NoScript must be turn on by default
TT Security
tortestprivacy at ro.ru
Tue Jan 21 23:20:34 UTC 2014
Hi Yuri,
> 21 Январь 2014 г. 10:45:09 пользователь Yuri (yuri at rawbw.com) написал:
>
> On 01/21/2014 01:01, Olivier Cornu wrote:
> > Fwiw, I can confirm this unfortunate behavior.:(
> > TBB connecting to loopback netcat socket from tortestprivacy.url.ph
> > javascript:
>
> This is very troubling. I also confirm, though behavior with nc and with
> apache listeners differ for some reason.
> I created a PR: https://bugzilla.mozilla.org/show_bug.cgi?id=962017
>
> Yuri
Mozilla developers don't like such insignificant(from their point of view) :)
Just ask Gijs Kruitbosch there: what would be if some application will send "Access-Control-Allow-Origin: *" in response?
And he will answer to you: this is not the problem of firefox! :)) you'll need control applications on your computer yourself, so if some application will reply with this header Firefox will allow ANY web-site from the global web read the reply and save it on its server :)
This is like Firefox works now! :)
They don't think forward!
For example, IE and Opera don't allow acces to LAN resources from global web-sites by default.
---
Regards,
TT Security.
More information about the tor-talk
mailing list