UniversalXSS in Quick Translator add-on (raw translation inserted using innerHTML)

RESOLVED FIXED in 2015-07

Status

RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: dveditz, Assigned: jorgev)

Tracking

({sec-moderate})

unspecified
2015-07
sec-moderate

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [qa-])

(Reporter)

Description

3 years ago
The Security alias received a report from Diaa (@dia2diab) that the Quick Translator add-on is vulnerable to a Universal XSS because the translation is inserted into its panel using innerHTML (much like the problem with another translation add-on in bug 976945)

https://addons.mozilla.org/en-US/firefox/addon/quick-translator/

It appears you'd have to have the user select text in an <input> or <textarea> (the POC uses <input>) and translate only the selected text rather than the entire page, but with that limitation I confirmed the bug. (I can't rule out the possibility of being able to booby-trap the regular text in an HTML doc, but my simpleminded variations on the POC didn't work).

An example test page: http://diaa.alwaysdata.net/POC.php

source of POC:
  <center>
    <input type="text" value="<img src=d onerror=prompt('Hacked')>">
  <center>
It doesn't matter where the text is. If it's translating a selection, the add-on sends the text of the selection, without escaping any HTML metacharacters, and injects whatever text Google Translate returns, without in any way sanitizing it.

It also requests the translation over HTTP, includes the option of automatically translating text whenever the selection changes, and interacts with content documents entirely via non-X-ray wrappers, including attaching a property to the content window global with several bound methods (which are fortunately not accessible to content in recent versions of Firefox).

So, all-in-all, this is pretty worrying. The add-on has a quarter of a million users, and appears entirely unmaintained, so we may have to block. I'll try contacting them via AMO and give them a week to respond.
(Reporter)

Comment 2

3 years ago
Oh sorry, yes. I did mean to mention the worrying warnings about unsafe CPOW usage. The functionality is nice (nicer than the one I'm using) but the implementation is a disaster.
(Reporter)

Comment 3

3 years ago
Kris: did you ever hear back? We probably need to block this now.
Flags: needinfo?(kmaglione+bmo)
I haven't heard back. I disabled the AMO listing. The blocklisting question is up to Jorge.
Flags: needinfo?(kmaglione+bmo) → needinfo?(jorge)
(Assignee)

Comment 5

3 years ago
Does version 2.0a1 have the same vulnerabilities? It's a big rewrite, supposedly, and pushing that version to users (if it works) would be preferable over blocking it.
Flags: needinfo?(jorge) → needinfo?(kmaglione+bmo)
It looks like it's been completely rewritten from an overlay extension to an SDK extension, but I don't have the time to go through the code at the moment.
Flags: needinfo?(kmaglione+bmo)
(Assignee)

Comment 7

3 years ago
Version 2.0a1 looks much better and the POC doesn't work on it. I'm approving it so current users will be updated to it. I'll block the older versions in two weeks, to give users time to update.
(Assignee)

Comment 8

3 years ago
The developer decided to hide the extension on AMO. It's unclear if they intend to submit new versions in the future.

All vulnerable versions are now blocked:

https://addons.mozilla.org/blocked/i966
Assignee: nobody → jorge
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2015-07

Updated

3 years ago
Group: addons-security

Comment 9

3 years ago
Please add STR here or mark it with [qa-] if no QA is needed.
I think it's qa-, the faulty add-on has been blocklisted.
Whiteboard: [qa-]

Comment 11

3 years ago
We are working on a new version, based on 1.0: https://github.com/CodeKullen/QT. Did not know that 2.0a1 was released - found it - we will check the differences.
You need to log in before you can comment on or make changes to this bug.