-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

"TorStatus is a website display used to summarize metrics about the Tor Network. It's a precursor to http://metrics.torproject.org. The code repository is at https://svn.torproject.org/svn/torstatus/. Example running sites are http://torstatus.blutmagie.de/ [...]"

Note: TorStatus is not a Tor Project product and is not maintained.

Vulnerability - ------------- DisplayRouterRow() in index.php prints the contact information string from a server descriptor - defined via 'ContactInfo' in torrc by a node operator - into the HTML page without proper output encoding. This leads to a persistent cross-site scripting vulnerability where every Tor node operator can insert HTML/JavaScript on all vulnerable TorStatus mirrors.

The contact information column is only included in the HTML page if the end-user (browsing a TorStatus mirror) adds the contact column via "Advanced Display Options" (column_set.php), the contact column is not included by default. An attacker might set the displayed columns for a victim via CSRF.

A simple search in the server descriptors of the last two months did not reveal an obvious exploitation in that time period. The simple search used is not suitable to give a clear answer. [grep -hir ^contact * |egrep -i '(script|src)']

Affected Versions - ----------------- 4.0 3.6.1 3.6 3.5 3.4.2 3.4.1 and probably others

Solution - -------- The attached patch was committed to the svn (revision r24666). https://svn.torproject.org/svn/torstatus/

Thanks to Robert, Andrew, Olaf, Damian and Sebastian.