Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • TPA team TPA team
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Issues 174
    • Issues 174
    • List
    • Boards
    • Service Desk
    • Milestones
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
  • Wiki
    • Wiki
  • Activity
  • Create a new issue
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • TPA
  • TPA teamTPA team
  • Issues
  • #40314
Closed
Open
Created Jun 21, 2021 by Georg Koppen@gk

Misconfigured DNS allows same-site-scripting

We got a bug report at HackerOne which I am not sure what to do about. Here it is to get input from our sysadmins (which need to fix it anyway, in case it's deemed valid):

Same site scripting

I have found an error of some misconfigrured DNS in a subdomain of yours which causes same site scripting.

Steps To Reproduce:

Step 1 : Go to terminal or cmd
Step 2 : Now type host localhost.torproject.org
Step 3 : Has Now you can see the response from localhost 127.0.0.1
Step 4 : This lead to Same site scripting

Referance :

http://www.securityfocus.com/archive/1/486606/30/0/threaded

Solution:

Kindly remove DNS record from nameserver or use that subdomain.

Impact

Same site scripting may lead to internal DOS
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking