CVE Vulnerability

CVE-2007-4174

Tor before 0.1.2.16, when ControlPort is enabled, does not properly restrict commands to localhost port 9051, which allows remote attackers to modify the torrc configuration file, compromise anonymity, and have other unspecified impact via HTTP POST data containing commands without valid authentication, as demonstrated by an HTML form (1) hosted on a web site or (2) injected by a Tor exit node.

5.8 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

References
Link Resource
http://archives.seul.org/or/announce/Aug-2007/msg00000.html
http://www.securityfocus.com/bid/25188
http://secunia.com/advisories/26301 Vendor Advisory
http://archives.seul.org/or/announce/Sep-2007/msg00000.html
http://www.securitytracker.com/id?1018510
http://osvdb.org/36271
http://www.vupen.com/english/advisories/2007/2768 Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/36407
https://exchange.xforce.ibmcloud.com/vulnerabilities/35784
Configurations

Configuration 1

cpe:2.3:a:tor:tor:0.1.2.10:*:*:*:*:*:*:*
cpe:2.3:a:tor:tor:0.1.2.9:*:*:*:*:*:*:*
cpe:2.3:a:tor:tor:0.1.2.5:*:*:*:*:*:*:*
cpe:2.3:a:tor:tor:0.1.2.14:*:*:*:*:*:*:*
cpe:2.3:a:tor:tor:0.1.2.6:alpha:*:*:*:*:*:*
cpe:2.3:a:tor:tor:0.1.2.1:alpha:*:*:*:*:*:*
cpe:2.3:a:tor:tor:0.1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:tor:tor:0.1.2.11:*:*:*:*:*:*:*
cpe:2.3:a:tor:tor:0.1.2.7:alpha:*:*:*:*:*:*
cpe:2.3:a:tor:tor:0.1.2.3:alpha:*:*:*:*:*:*
cpe:2.3:a:tor:tor:0.1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:tor:tor:0.1.2.8:beta:*:*:*:*:*:*
cpe:2.3:a:tor:tor:0.1.2.13:*:*:*:*:*:*:*
cpe:2.3:a:tor:tor:*:*:*:*:*:*:*:*
cpe:2.3:a:tor:tor:0.1.2.12:*:*:*:*:*:*:*
cpe:2.3:a:tor:tor:0.1.2.5:alpha:*:*:*:*:*:*
Information

Published : 2007-08-07 10:17

Updated : 2017-07-29 01:32

NVD link : CVE-2007-4174

Mitre link : CVE-2007-4174

Products Affected
No products.
CWE
CWE-264