King@sh.itjust.works to Tech@programming.dev · 9 days agoCode audit found six vulnerabilities and highlighted eleven hardening recommendations for The Tor Projectblog.torproject.orgexternal-linkmessage-square1linkfedilinkarrow-up123arrow-down10
arrow-up123arrow-down1external-linkCode audit found six vulnerabilities and highlighted eleven hardening recommendations for The Tor Projectblog.torproject.orgKing@sh.itjust.works to Tech@programming.dev · 9 days agomessage-square1linkfedilink
minus-squarePika@sh.itjust.workslinkfedilinkEnglisharrow-up4·9 days agoThe article does a nice job explaining what each of the applications/services do. This is the list of disclosed vulnerabilities from the report. Reported vulnerabilities: TOR-02-002 WP1: TagTor Flask lacks CSRF token system allowing post requests to be done without validating origin TOR-02-006 WP2: Margot command line tool doesn’t sanitize input allowing DOS via invalid input TOR-02-007 WP2: Margot tool creates false positives and negatives causing false sense of security TOR-02-008 WP2: Margot tool contains sensitive system info such as flow and paths in error messages TOR-02-009 WP1: TagTor allows DOS due to no ceiling on endpoint limit parameters for authenticated users TOR-02-015 WP1: TagTor allows DOS due to inefficient tag storage.
The article does a nice job explaining what each of the applications/services do. This is the list of disclosed vulnerabilities from the report.
Reported vulnerabilities: