----- Original Message ----- From: "tagnaq" <[email protected]> To: <[email protected]> Sent: Monday, April 25, 2011 11:59 AM Subject: Re: [tor-talk] Persistent XSS vulnerability in TorStatus
> > Thanks for this.. you might be interested to know that co-incidentally I > > had a nasty experience with one of these sites (don't know which now) > > running this code some 4-6 months ago. > > A search (grep) in the server descriptor archive starting with > 2009-01-01 didn't show anything obviously nasty in the contact field - > so if a TorStatus site contained something nasty in that time period it > probably wasn't this vulnerability. > ...but TorStatus is not properly html encoding everywhere where it should. > Yes, but you'd inject the script later and so not get caught. > > I had to switch jscript on to > > view the site > > TorStatus sites usually do not require JavaScript. > I think you'll find that when you need to order the output or filter it, you need jscript on, if not in the code then that might explain it all. Maybe there's a way these functions can be turned off by a jscript injection, forcing the user to turn it on to sue them. > > Do you reckon a jscript (code injection) vulnerability over Tor, like > > the one you uncovered, could lead to stack based attacks (the system > > slow and re-boot) on WinNT/Win2k/WinXP systems, to insert such a remote > > control trojan as I have just removed? > > The vulnerability reported in the original posting (a web application > not doing proper output encoding) has basically nothing to do with Tor > beside the fact that the web application does show Tor nodes information > and the way how an attacker delivers its payload to the website. > Other than it allowed Tor exits to inject code "This leads to a persistent cross-site scripting vulnerability where every Tor node operator can insert HTML/JavaScript on all vulnerable TorStatus mirrors." > So your question boils down to: > Can one get compromised when browsing a website? > Yes, you can. . Yes code injection can indeed can be achieved on the www... Q was, can javascript, in this manner, take advantage of stack overflow vulnerability, to implant trojans/viruses, I hguess you are saying yes to this. Thanks, Cheers > > best regards, > tagnaq > _______________________________________________ > tor-talk mailing list > [email protected] > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
