It should be noted that this regression (introduced in 2.6.9.13 and
fixed in 2.6.9.15) is mitigated by the data: URI content being run with
a null principal, i.e. being considered cross-domain in respect of any
other document (including the page which originated it), therefore its
ability to do nasty thing (e.g. reading cookies, collecting sensitive
data or execute plugin content) is impaired.
You can observe this by replacing "alert(1)" with
"alert(document.domain)" (you'll get an empty string) or
"alert(opener.location.href)" (you'll throw a security error) in the
provided PoC.
However yes, upgrading to latest NoScript as soon as it's released is
always advisable for security-minded users.
- -- G
On 01/03/2015 14:24, jvoisin wrote:
> Hello,
>
> it seems that the latest Tails (1.3) ships with a vulnerable version of
> NoScript, that allows to bypass the "Disable Scripts" settings. I know
> that this is outside the threat model of Tails, since scripts are
> enabled by default, but since some users are manually activating this
> setting, I think that it's still relevant.
>
> Anyway, I wrote a quick'n'dirty proof of concept for this vuln, if you
> want to play a bit with it:
> http://dustri.org/b/noscript-script-disabled-bypass-poc-for-tails-13.html
>
> Cheers,
> _______________________________________________
> Tails-dev mailing list
> Tails-dev@???
> https://mailman.boum.org/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to
Tails-dev-unsubscribe@???.
- --
Giorgio Maone
https://maone.net