All started following a security disclosure of Nick Freeman on WizzRSS, the Firefox addon. The author of the addon, Mike Kroger, was confused and thought in good faith to follow best practices, using the nsIScriptableUnescapeHTML class function to perform input validation. This caught my attention and I decided to do more research on the function and see if there were ways to bypass it.
In April 2010, I have released a white paper entitled "Cross Context Scripting with Firefox". The white paper included the research conducted by myself and Nick Freeman on finding bugs in Firefox extensions. In particular, one technique discussed at section "2.8 Case VIII: Bypassing nsIScriptableUnescapeHTML.parseFragment()" included examples on how to bypass the aforementioned function. Indeed, the function could not be trusted and Mike Kroger was right.
Following the release of the white paper, NIST created a CVE identifier: 2010-1585 referring to section 2.8 of the white paper. Following that, I felt I had to contact Mozilla and I have filed a bug report to them on May 2010 - with identifier 568395.
Few days ago, Nick Freeman told me that this bug was fixed as announced by Mozilla. The bug affected also SeaMonkey and Thunderbird. The bug was re-opened by Daniel Veditz with identifier 562547. To add further confusion, I am cited as a "Mozilla Security Developer" in the Mozilla security advisory ;-).
- permalink -
In April 2010, I have released a white paper entitled "Cross Context Scripting with Firefox". The white paper included the research conducted by myself and Nick Freeman on finding bugs in Firefox extensions. In particular, one technique discussed at section "2.8 Case VIII: Bypassing nsIScriptableUnescapeHTML.parseFragment()" included examples on how to bypass the aforementioned function. Indeed, the function could not be trusted and Mike Kroger was right.
Following the release of the white paper, NIST created a CVE identifier: 2010-1585 referring to section 2.8 of the white paper. Following that, I felt I had to contact Mozilla and I have filed a bug report to them on May 2010 - with identifier 568395.
Few days ago, Nick Freeman told me that this bug was fixed as announced by Mozilla. The bug affected also SeaMonkey and Thunderbird. The bug was re-opened by Daniel Veditz with identifier 562547. To add further confusion, I am cited as a "Mozilla Security Developer" in the Mozilla security advisory ;-).
- permalink -