Opened 5 years ago

Closed 5 years ago

#10686 closed defect (duplicate)

Tor allows Cross-Site Request initiations to localhost

Reported by: GerardusHendricks Owned by: mikeperry
Priority: High Milestone:
Component: TorBrowserButton Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Please also see the discussion on the Tor-Talk mailing list:

https://lists.torproject.org/pipermail/tor-talk/2014-January/031776.html

I'll try to condense the discussion into a single problem. I have not tried to reproduce this myself, but several people confirm the behaviour on the list.

User TT-Security points out that the Tor Browser Bundle allows any website to initiate cross-site requests to localhost. This is possible because the Tor Browser proxy settings exempts "localhost, 127.0.0.1" from using he proxy (see Options -> Advanced -> Network -> Settings -> No proxy for).

I said "initiate" requests, because the Same-Origin policy of Firefox in most cases prevents the website from reading the localhost response, because the localhost server must return a HTTP Access-Control-Allow-Origin header with the appropriate value.

This is however still a problem in the Tor Browser Bundle security model, as arbitrary websites can launch requests to localhost services, even if they cannot read the response.

I must note that requests to private addresses (such as 192.168.0.1) are safe because they are properly proxied through Tor (but will of course fail).

Solutions would include removing localhost from being included from "No proxy for" or enabling NoScripts Application Boundaries Enforcer.

Child Tickets

Change History (3)

comment:1 Changed 5 years ago by cypherpunks

Solutions would include removing localhost from being included from "No proxy for"

#10165 localhost already removed from excluding list.
You can't remove 127.0.0.1 too, else some part of Firefox code will go to communicate with itself via Tor. Or you need to verify it's impossible to happen.

or enabling NoScripts Application Boundaries Enforcer.

depends what actually does Noscripts' ABE for that case.

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:2 in reply to:  1 Changed 5 years ago by cypherpunks

(Well hello this is awkward, you can refer to me as cypherpunks2)

Replying to cypherpunks:

You can't remove 127.0.0.1 too, else some part of Firefox code will go to communicate with itself via Tor.

Can you elaborate what you mean by this? Which Firefox code are you referring to?

If I set

user_pref("extensions.torbutton.no_proxies_on", "");
user_pref("extensions.torbutton.saved.no_proxies_on", "");
user_pref("network.proxy.no_proxies_on", "");

and then try to connect to http://127.0.0.1:631 (the CUPS printer interface), as expected, tor rejects the connection:

[warn] Rejecting SOCKS request for anonymous connection to private address [scrubbed].

comment:3 Changed 5 years ago by gk

Resolution: duplicate
Status: newclosed

Duplicate of #10419.

Note: See TracTickets for help on using tickets.