I tested the example exploit URL in the Firefox ticket using both Firefox Aurora 22.0a2 (2013-4-12) and Tor Browser Firefox ESR 17.0.4 (tor-pluggable-transports-browser-2.4.11-alpha-2_en-US Windows package).
Using Firefox Aurora, the exploit failed and was not able to access resource:// URLs at all. Using the Tor Browser mentioned, it succeeded to the extent that it was able to determine my Browser was Firefox. I had to enable scripts for that site in order for it to gain any more information, at which time it could identify all the other info it tried to including the fact that I was using Tor Browser. The most of the resource URIs used by the example exploit page/script (and many more) were valid LOCALLY in Aurora, but the remote exploit failed to access them. In Tor Browser, the exploit succeeded to varying degrees depending on whether NoScript blocked the script or not. Is this an issue of using too old of a Firefox version for Tor Browser? Asa -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Griffin Boyce Sent: Thursday, April 18, 2013 7:51 PM To: [email protected] Subject: Re: [tor-talk] Abusing resource:// uri in Firefox Browser It's in the ticket system as #8725, and I was able to duplicate this bug. Somehow preventing outside resource_uri access or pretending to be a non-firefox browser would obviate this quirk. https://trac.torproject.org/projects/tor/ticket/8725 ~Griffin _______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
_______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
