Masu haɓaka hanyar sadarwar Tor da ba a san sunansu ba sun buga sakamakon binciken binciken Tor Browser da OONI Probe, rdsys, BridgeDB da Conjure kayan aikin da aikin ya ɓullo da su, waɗanda aka yi amfani da su wajen ƙetare takunkumi. Cure53 ne ya gudanar da binciken daga Nuwamba 2022 zuwa Afrilu 2023.
A yayin tantancewar, an gano nakasuwa guda 9, biyu daga cikinsu an bayyana su a matsayin masu hadari, daya kuma an sanya shi matsakaicin matsakaici, sannan 6 an bayyana su a matsayin matsaloli masu karamin hadari. Har ila yau, a cikin tushen lambar, an gano matsaloli 10 da aka rarraba a matsayin rashin tsaro. Gabaɗaya, an lura da lambar Tor Project don biyan amintattun ayyukan shirye-shirye.
Rashin lahani na farko mai haɗari ya kasance a baya na tsarin rarraba rdsys, wanda ke tabbatar da isar da albarkatu kamar jerin wakilai da zazzage hanyoyin haɗi zuwa masu amfani da aka tantance. Rashin iyawar yana faruwa ne sakamakon rashin tantancewa lokacin samun damar mai sarrafa albarkatun albarkatun kuma ya ba maharin damar yin rijistar albarkatun nasu na mugunta don isarwa ga masu amfani. Aiki yana tafasa ƙasa don aika buƙatar HTTP zuwa mai sarrafa rdsys.
An sami raunin haɗari na biyu mai haɗari a cikin Tor Browser kuma ya faru ne sakamakon rashin tabbatar da sa hannun dijital lokacin da ake dawo da jerin nodes ɗin gada ta rdsys da BridgeDB. Tun da an ɗora lissafin a cikin mai binciken a matakin kafin haɗawa zuwa cibiyar sadarwar Tor da ba a san su ba, rashin tabbatar da sa hannun dijital na dijital ya ba maharin damar maye gurbin abubuwan da ke cikin jerin, alal misali, ta hanyar kutse haɗin yanar gizon ko yin kutse na sabar. ta inda ake rarraba jerin sunayen. A yayin harin da aka yi nasara, maharin zai iya shirya masu amfani don haɗawa ta kullin gadar da aka yi wa katsalandan.
Matsakaici mai rauni ya kasance a cikin tsarin rdsys a cikin rubutun ƙaddamar da taron kuma ya ba wa maharin damar ɗaukaka gatansa daga mai amfani zuwa mai amfani da rdsys, idan yana da damar shiga uwar garken da ikon rubutawa zuwa ga directory tare da ɗan lokaci. fayiloli. Yin amfani da raunin rauni ya haɗa da maye gurbin fayil ɗin da za a iya aiwatarwa da ke cikin /tmp directory. Samun haƙƙin mai amfani da rdsys yana bawa maharin damar yin canje-canje ga fayilolin aiwatarwa da aka ƙaddamar ta hanyar rdsys.
Rashin lahani mai ƙarancin ƙarfi ya kasance da farko saboda amfani da tsofaffin abubuwan dogaro waɗanda ke ƙunshe da sanannun lahani ko yuwuwar hana sabis. Ƙananan lahani a cikin Tor Browser sun haɗa da ikon ketare JavaScript lokacin da aka saita matakin tsaro zuwa matsayi mafi girma, rashin ƙuntatawa akan zazzage fayil, da yuwuwar ɗigon bayanai ta hanyar gidan yanar gizon mai amfani, yana ba da damar bin masu amfani tsakanin sake farawa.
A halin yanzu, an gyara duk rashin lahani; a cikin wasu abubuwa, an aiwatar da tantancewa ga duk masu sarrafa rdsys kuma an ƙara duba jerin sunayen da aka ɗora a cikin Tor Browser ta hanyar sa hannu na dijital.
Bugu da ƙari, za mu iya lura da sakin Tor Browser 13.0.1. Sakin yana aiki tare da Firefox 115.4.0 ESR codebase, wanda ke gyara lahani 19 (ana ɗaukar 13 haɗari). An canza gyare-gyaren raunin rauni daga reshen Firefox 13.0.1 zuwa Tor Browser 119 don Android.
source: budenet.ru