Besttoolbars Development network

Back to Besttoolbars main site

 

Home | Community | Documentation | Downloads | Plugins | Sample toolbars
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
security issue in TBS Firefox with config_allowed

 
Post new topic   Reply to topic    BestToolbars.Net Forum Index -> Mozilla/Firefox conversion
Author Message
taw



Joined: 18 Jun 2007
Posts: 41
Location: Munich, Germany
PostPosted: Tue Oct 09, 2007 10:47 am    Post subject: security issue in TBS Firefox with config_allowed Reply with quote
In tb.xsl we have:

Code:
 <xsl:variable name="configallow">
 <xsl:for-each select = "child::CONFIGALLOW"><xsl:value-of select="text()"/>;</xsl:for-each>
</xsl:variable>


This results, for example, in a list like "foo.com;bar.com;foobar.com;"

In tb.js, this list is parsed like this:

Code:

if (set_configallow)
   {
   var ca=set_configallow.getAttribute('value');
        if (ca)
        {
           var ca_sites=ca.split(';');
           var ci;
           for(ci=0;ci < ca_sites.length;ci++)
               if (href.indexOf(ca_sites[ci]) != -1)
               {
                   configallowed=1;
                   break;
               }
        }
    }


Because ";" is always the last character of ca, the last element of ca_sites becomes "". Since string.indexOf("") is always 0, configallowed becomes 1, so every site can configure my toolbar.

Another problem of this usage of indexOf: http://maleware.com/foo.com/badscript.html would be accepted.
Back to top
taw



Joined: 18 Jun 2007
Posts: 41
Location: Munich, Germany
PostPosted: Mon Oct 15, 2007 11:23 am    Post subject: Reply with quote
I would suggest this diff:

Code:

<  if (href.indexOf(ca_sites[ci]) != -1)
---
>  if ((href.indexOf(ca_sites[ci]) != -1) && (ca_sites[ci] != "") && (href.indexOf(ca_sites[ci]) < href.indexOf(".")))



Could this be changed in next ToolBarStudio Version?
(There are two positions)

Thank You!
Back to top
Admin
Site Admin


Joined: 22 Aug 2006
Posts: 1055

PostPosted: Tue Oct 23, 2007 9:30 am    Post subject: Reply with quote
This has been changed in our latest converter from

http://www.besttoolbars.net/download.php#mozilla
Back to top
taw



Joined: 18 Jun 2007
Posts: 41
Location: Munich, Germany
PostPosted: Tue Oct 30, 2007 8:14 am    Post subject: Reply with quote
Sorry!

Code:

<  if (href.indexOf(ca_sites[ci]) != -1)
---
>  if (((href+"/").indexOf(ca_sites[ci]+"/") != -1) && (ca_sites[ci] != "") && (href.indexOf(ca_sites[ci]) < href.indexOf(".")))


Would be better, so http://goodsite.com.badsite.com/foo.html will not be allowed.

These code can be found two times in tb.js.

Also, I suggest to call ToolBarInit and DocumentComplete only if configallowed==1 ! Wink.
Back to top
Display posts from previous:   
Post new topic   Reply to topic    BestToolbars.Net Forum Index -> Mozilla/Firefox conversion All times are GMT
Page 1 of 1

 


Powered by phpBB © 2001, 2005 phpBB Group

Copyright c Softomate, 2010. All Rights Reserved
Terms of Service | Privacy Policy