Opened 6 years ago

Closed 2 years ago

#9636 closed defect (worksforme)

Tor not fully passing input to CGI script

Reported by: hnaparst Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

As a hobby project, I thought I would create a public mailserver as a hidden service. When I got to the part about creating a self-registration page, which I did as a CGI with compiled C, I ran into a bizarre problem.

When accessing the registration service from the Tor Browser, either as a hidden service or directly through the IP address, the registration process fails because some of the information is not passed correctly to the CGI script. The script completes successfully if you turn off the tor service in the browser or use another browser.

The registration page is: http://54.229.143.194/cgi-bin/vqregister/vqregister.cgi

This is an Amazon instance, which I will leave on until this case is resolved. If you wish, I can send you an AMI.

For instance, trying to register an account with name, username, and password of foox results in Apache thinking that it only received 48 characters: fname=foox&user=foox&dom=7wwgnynofwo7wodd.onion& instead of the full 86 characters fname=foox&user=foox&dom=7wwgnynofwo7wodd.onion&pass=foox&vpass=foox&Register=Register

Oddly, the Apache script log correctly shows

%% [Sat Aug 31 09:46:49 2013] POST /cgi-bin/vqregister/vqregister.cgi HTTP/1.1
%% 500 /var/www/localhost/cgi-bin/vqregister/vqregister.cgi
%request
Host: 54.229.143.194
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://54.229.143.194/cgi-bin/vqregister/vqregister.cgi
Content-Type: application/x-www-form-urlencoded
Content-Length: 86

fname=foox&user=foox&dom=7wwgnynofwo7wodd.onion&pass=foox&vpass=foox&Register=Register
%response

I would conclude that it is an Apache misconfiguration, since the script log looks fine, except that this problem only occurs when using Tor. It fails 100% of the time with Tor, and succeeds 100% of the time without Tor.

Child Tickets

Change History (6)

comment:2 Changed 6 years ago by hnaparst

Please let me know when you would like to look at this, and I will turn the instance on. Alternatively, I have an AMI.

comment:3 Changed 6 years ago by nickm

This isn't something I'm going to be great at tracking down myself, since I don't know much about setting up apache stuff. Have you tried looking at the connections with some kind of packet dumping tool to see what's going on at the network level?

comment:4 Changed 6 years ago by hnaparst

No I haven't tried using tcpdump. Again, the crazy thing is that what is delivered to the CGI script is different if it comes from Tor, even for the same request address. So it is almost like the a few bytes of the packet is somehow stripped by Tor before getting to Apache. Not a good thing to be happening. One wonders where those bytes have gone.

comment:5 Changed 5 years ago by nickm

Milestone: Tor: unspecified
Status: newneeds_information

Yeah, in order to debug this one, we're really going to need to know where, exactly, the data is going astray.

comment:6 Changed 2 years ago by nickm

Resolution: worksforme
Severity: Normal
Status: needs_informationclosed
Note: See TracTickets for help on using tickets.