Last night, and again this morning, I spent a few hours trying to implement nsIScriptableUnescapeHTML.parseFragment() in the Wizz RSS code. According to Wladimir Palant, nsIScriptableUnescapeHTML.parseFragment() should be used for Displaying web content in an extension – without security issues. It’s also obvious that other Firefox “security experts” – i.e. Jorge Villalobos – agree with Wladimir Palant’s opinion.
My few hours of trying to implement nsIScriptableUnescapeHTML.parseFragment() have shown me that both Wladimir Palant and Jorge Villalobos are wrong!
Back in March 2007, Jefferson Ogata of NOAA Computer Incident Response Team (N-CIRT), lodged a vulnerability report with US-CERT (Details of the vulnerability report can be seen here and here) with regard to vulnerability discovered in Wizz RSS 2.1.7 (And earlier). Jefferson Ogata very kindly worked with me for quite a few weeks on plugging the vulnerability. Jefferson offered advice and I coded his recommendations. Jefferson would then test my fixes against a set of potentially malicious test cases, and when we were both happy that the vulnerability had successfully been plugged, version 2.1.9 was released and was made public.
So, while nsIScriptableUnescapeHTML.parseFragment() successfully deals with vulnerabilities in Wizz RSS uncovered by Wladimir Palant, it certainly does not deal with all of those uncovered by Jefferson Ogata in 2007!
Makes me wonder how many other Firefox extensions have implemented nsIScriptableUnescapeHTML.parseFragment(), believing that it would sanitize potentially malicious code? Also makes me wonder if the “security experts” actually know what they are talking about.
I’ll never uninstall wizz. No matter what they say about security issues like that.
Never had any single problem with the reader.
All these links and I don’t know how to uninstall it. Can you send me a proper link with instructions as to how to get this off my HD? Also, is this why I keep getting a pop-up in gMail related to passwords for RSS readers?
@Roonie: As far as I’m aware, all Firefox add-ons uninstall in exactly the same way. If you don’t know how to uninstall a Firefox add-on, please see http://www.wizzrss.com/helpwiki/index.php/Uninstalling_Wizz_RSS for details on how to do it.
If you are using Wizz RSS, or any other feed reader for Firefox (Which includes Live Bookmarks – Commonly referred to as Livemarks), to read your gmail, and have not got Firefox password manager to store your password, a pop-up requesting your gmail password will appear each time you read the feed.
I would rather see the warning message every time I restart my browser than uninstall Wizz RSS. It is simply the best RSS feed agent for Firefox. Nothing else even comes close.
My favorite feature is that it handles all my podcast subscriptions neatly in my AOIS sidebar and allows me to play them without visitng the podcasts site every time.
Tell’em where to put it Mike.
Спасибо, все хорошо.
Спасибо, мне нравится.
If the user/administrator of a computer is competent, nothing that crawls up out of any Firefox extension can cause damage beyond annoyance or, at the very worst, a few hours of lost work. If the user/administrator is incompetent, obscure and as-yet unexploited security holes in Firefox extensions are the least of the problems.
I will not upgrade Firefox to any version that does not support Wizz RSS, because there are no workable replacements.
@Steve: The main problem here is that people at Mozilla are “selling” nsIScriptableUnescapeHTML.parseFragment() as the magic bullet for ensuring that malicious code doesn’t execute within the “privileged” confines of Firefox, which it certainly isn’t. Malicious code with access to the “privileged” confines of Firefox could, for example, read stored passwords – Which could be more than an annoyance if you do your banking online and Firefox has stored your password.
Because people at Mozilla are pushing nsIScriptableUnescapeHTML.parseFragment() on many extension developers, those same extension developers are accepting, without question, that the magic bullet is going to close all security holes. In fact all that is happening is that extension developers are implementing a standard set of security vulnerabilities.
Hi Mike,
I just posted an article in my blog regarding this issue with the nsIScriptableUnescapeHTMl.parseFragment(). Please see here:
http://malerisch.net/articles/ParanoidFragmentSink_and_a_confusing_disclosure.html
In few words, you were right. The function could not be trusted. The issue has now been fixed by Mozilla.
Cheers,
Roberto Suggi Liverani
Thanks Roberto
I wonder if Wladimir Palant and Jorge Villalobos would now consider an apology?