############################################################################## # # Firefox Wizz RSS News Reader Extension Cross-Context Scripting # # Copyright: OS2A and it's member companies # # Date Written: 2007/04/18 # # $Revision: 1.1 $ # # $Log: os2a_firefox_wizz_rss_news_reader_ext_xss_604209.nasl,v $ # Revision 1.1 2007/04/19 11:39:03 ksjayesh # To production # # # Revision 1.1 2007/04/18 04:22:25 karun # Issue #4007 # # ------------------------------------------------------------------------ # This program was written by OS2A and/or it's member companies and is # licensed under the GNU GPL license. Please see below for details. This # header contains information regarding licensing terms under the GPL, and # information regarding obtaining source code from the Author. Consequently, # pursuant to section 3(c) of the GPL, you must accompany the information # found in this header with any distribution you make of this Program. # ------------------------------------------------------------------------ ############################################################################## if(description) { script_id(604209); script_bugtraq_id(23523); script_cve_id("CVE-2007-2060"); script_copyright(english:"Copyright (C) 2007 OS2A"); script_version("$Revision: 1.1 $"); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_name(english:"Firefox Wizz RSS News Reader Extension Cross-Context Scripting"); script_summary(english:"Check for the vulnerable version of Wizz RSS News Reader"); desc["english"] = " Overview : This host has Wizz RSS News Reader extension for Firefox installed, which is prone to cross-context scripting vulnerability. The flaw is due to an improper sanitization of the input before being used. Impact : Successful exploitation could allow an attacker to execute arbitrary code within the chrome context by convincing a user to visit a specially crafted RSS feed. Scope of impact is limited to application level. Affected Software : Wizz RSS News Reader (extension for Firefox) versions prior to 2.1.9 Affected Platform : Any system running the affected software. Solution : Update to version 2.1.9 https://addons.mozilla.org/en-US/firefox/addon/424 References : http://www.kb.cert.org/vuls/id/319464 CVSS Score : CVSS Base Score : 5.6 (AV:R/AC:H/Au:NR/C:P/I:P/A:P/B:N) CVSS Temporal Score : 4.1 Risk factor : Medium"; script_description(english:desc["english"]); script_dependencies("ssh_get_info.nasl", "global_settings.nasl"); script_require_keys("Host/uname"); exit(0); } include("ssh_func.inc"); if("Linux" >!< get_kb_item("Host/uname")){ exit(0); } sock = ssh_login_or_reuse_connection(); if(!sock){ exit(0); } # Locate the file. Assumption is 'updatedb' is done regularly on the host. wizzPath = ssh_cmd(socket:sock, cmd:"locate -ir firefox/.*/extensions/.*/install.rdf$", timeout:120); # If thorough_tests option is clicked apply the find command. if(wizzPath == NULL && ("yes" >< get_kb_item("global_settings/thorough_tests"))) { command = "find / -xdev -type f -path '*/firefox/*/extensions/" + "*/install.rdf' -print"; wizzPath = ssh_cmd(socket:sock, cmd:command, timeout:120); } if(wizzPath == NULL) { ssh_close_connection(); exit(0); } wizzPath = split(wizzPath); foreach path (wizzPath) { if(ssh_cmd(socket:sock, cmd:"test -f " + chomp(path) + " && echo $?", timeout:120)) { wizzVer = ssh_cmd(socket:sock, cmd:"cat " + chomp(path), timeout:120); if("Wizz RSS News Reader" >< wizzVer) { if(egrep(pattern:"(1\..*|2\.(0(\..*)?|"+ "1(\.[0-8])?))[^.0-9]", string:wizzVer)){ security_warning(0); } ssh_close_connection(); exit(0); } } } ssh_close_connection();