Hi TagNaq, Thanks for this.. you might be interested to know that co-incidentally I had a nasty experience with one of these sites (don't know which now) running this code some 4-6 months ago. I had to switch jscript on to view the site and when I reloaded the page my pc slowed to a halt and then after a minute of 2 re-booted all on it lonesome, taking a while to come up after re-booting. At the time it was just annoying, as I had to go back to there again and the same thing happened. On the 3rd time I went to another Tor status site and the problem did not repeat.
I didn't think anything of it until about 3 weeks ago, when I got a new AV, after noticing some files (looked encrypted) on my pc which I had no idea how they got there and they were in a non system/software area of the drive. The new AV did a low level (at on drive code level) hard disk, on boot, inspection and found a hidden (from the OS) partition and deleted it.. That was the beginning of nearly a week of problems, sudden slow downs for no reason, blue screens, and various AV's then finding pieces of some sort of key-logging trojans & traces of numerous viruses they had previously failed to find.. Finally, the cut, paste, drag and drop stopped working. nothing would fix it. According to the reports, this was being caused by a remote control like trojan (possibly now just a remnant) watching everything going through WinExplorer (looking over its shoulder so to speak). I got software to remove this and then more to fix the settings it had left and that led to yet another trojan being found and removed. It now works OK. Do you reckon a jscript (code injection) vulnerability over Tor, like the one you uncovered, could lead to stack based attacks (the system slow and re-boot) on WinNT/Win2k/WinXP systems, to insert such a remote control trojan as I have just removed? Cheers, Paul ----- Original Message ----- From: "tagnaq" <[email protected]> To: "Tor-Talk" <[email protected]> Cc: <[email protected]> Sent: Saturday, April 23, 2011 6:00 PM Subject: [tor-talk] Persistent XSS vulnerability in TorStatus > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > "TorStatus is a website display used to summarize metrics about the Tor > Network. It's a precursor to http://metrics.torproject.org. The code > repository is at > https://svn.torproject.org/svn/torstatus/. Example running sites are > http://torstatus.blutmagie.de/ [...]" > > Note: TorStatus is not a Tor Project product and is not maintained. > > > Vulnerability > - ------------- > DisplayRouterRow() in index.php prints the contact information string > from a server descriptor - defined via 'ContactInfo' in torrc by a node > operator - into the HTML page without proper output encoding. This leads > to a persistent cross-site scripting vulnerability where every Tor node > operator can insert HTML/JavaScript on all vulnerable TorStatus mirrors. > > The contact information column is only included in the HTML page if the > end-user (browsing a TorStatus mirror) adds the contact column > via "Advanced Display Options" (column_set.php), the contact column is > not included by default. An attacker might set the displayed columns for > a victim via CSRF. > > A simple search in the server descriptors of the last two months did not > reveal an obvious exploitation in that time period. The simple search > used is not suitable to give a clear answer. > [grep -hir ^contact * |egrep -i '(script|src)'] > > Affected Versions > - ----------------- > 4.0 > 3.6.1 > 3.6 > 3.5 > 3.4.2 > 3.4.1 > and probably others > > > Solution > - -------- > The attached patch was committed to the svn (revision r24666). > https://svn.torproject.org/svn/torstatus/ > > > > > Thanks to Robert, Andrew, Olaf, Damian and Sebastian. > -----BEGIN PGP SIGNATURE----- > > iF4EAREKAAYFAk2zBb4ACgkQyM26BSNOM7YE8gD9HzwAZ1rfUDM+GLxjFfo0o1R7 > A5l2MPddbmPlr+d23oYA/1m8VI3bbG9RXvao453j2Yyqix/iJ01rJbLP63PtWShw > =Ay2T > -----END PGP SIGNATURE----- > ------------------------------------------------------------------------ -------- > _______________________________________________ > tor-talk mailing list > [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
