Insecurities in Tor Vidalia Privoxy Configurations - Details

At the end of October, the Tor project released updated Vidalia bundles that addressed some insecurities in the Privoxy configuration that existed in versions prior to 0.1.2.18. I posted the following brief advisory to the or-talk mailing list at the time:

Versions of the Vidalia bundle prior to 0.1.2.18 install Privoxy with
an insecure configuration file.  Both Windows and Mac OS X versions
are affected.  The installed 'config.txt' file ('config' on Mac OS X)
had the following option values set to 1:

  - enable-remote-toggle
  - enable-edit-actions

Additionally, on Windows the following option was set to 1:

  - enable-remote-http-toggle

Malicious sites (or malicious exit nodes) could include active content
(e.g., JavaScript, Java, Flash) that caused the web browser to:

  - make requests through the proxy that causes Privoxy filtering to
    be bypassed or completely disabled

  - establish a direct connection from the web browser to the local
    proxy and modify the user defined configuration values

The Privoxy documentation recommends against enabling these options in
multi-user environments or when dealing with untrustworthy clients.
However, the documentation does not mention that client-side
web browser scripts or vulnerabilities could be exploited as well.

It should be noted that using Tor is not a prerequisite for some of
these attacks to be successful.  Users of Tor may be at greater risk,
because malicious exit nodes can inject content into otherwise trusted
sites.

In order to allow time for people to upgrade, additional attack
details and sample code will be withheld for a couple of days.

That "couple of days" got stretched to nearly a month since I decided to hold off until Firefox 2.0.0.10 was released. But, full details and sample exploit code are now available. Enjoy.

Posted by gfleischer on 2007/11/29 at 11:07 in Vulnerabilities

Home

Subscribe
RSS 2.0
Quick Links
Content
Info

Categories
Archives
Sitemap
Valid XHTML 1.0 Transitional Valid CSS!