2009/12/3 Alan Woodland <alan.woodl...@gmail.com>:
> 2009/12/3 Giuseppe Iuculano <iucul...@debian.org>:
>> Package: firefox-sage
>> Severity: grave
>> Tags: security
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>> Hi,
>> the following CVE (Common Vulnerabilities & Exposures) id was
>> published for firefox-sage.
>>
>> CVE-2009-4102[0]:
>> | Sage 1.4.3 and earlier extension for Firefox performs certain
>> | operations with chrome privileges, which allows remote attackers to
>> | execute arbitrary commands and perform cross-domain scripting attacks
>> | via the description tag of an RSS feed.
>>
>> If you fix the vulnerability please also make sure to include the
>> CVE id in your changelog entry.
>>
>> For further information see:
>>
>> [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4102
>> http://security-tracker.debian.org/tracker/CVE-2009-4102
>
> Hmm, I'll take a look at this this afternoon. It's possible we might
> not be hit by this one, last time there was an XSS bug I applied a
> patch that went further than upstream did.
>
Ho hum, I've so far not succeeded in finding a test case that exploits
this (safely). I thought the attached feed would break things, but
apparently not so far.
Alan
<?xml version="1.0" encoding="UTF-8"?>
<rss>
<channel>
<title>no title</title>
<description><script>alert("hello world - feed description");</script></description>
<link>n/a</link>
<lastBuildDate>n/a</lastBuildDate>
<generator>RSS Writer</generator>
<image><url>http://www.phelios.net</url><title>n/a</title><link>http://www.phelios.net</link><description>n/a</description></image>
</channel>
<item>
<title>item title</title>
<link>item link</link>
<description>Test 1<script>alert("hello world - item description");</script></description>
</item>
</rss>
