lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20071204163540.GA375@iCoaster.does-not-exist.org>
Date: Tue, 4 Dec 2007 17:35:40 +0100
From: Thomas Roessler <tlr@...org>
To: bugtraq@...urityfocus.com
Cc: mail@...elopersdigest.org, Andreas Amann <aamann@....com>
Subject: Some more widgets: Facebook, Hockey, FlickrInterestingNess (Re:
	[MacOS X] Insecure eval() in Twitgit and Twitterlex dashboard
	widgets)

This is a follow-up to [0] and [1].

Last night, I wrote:

> It would probably be an interesting exercise to go through some more
> dashboard widgets and grep for eval. I'd bet quite a bit that
> there's much more out there.

- The (top-50) facebook widget [2] uses the AllowFullAccess
  configuration option, which effectively means what it says.
  
  This widget also uses JSON to access numerous facebook functions,
  and eval() to parse the results.  Most of facebook's API is
  accessed through plain HTTP, of course, so the discussion in [0]
  and [1] fully applies.  It might be interesting to see whether one
  of the facebook JSON APIs is susceptible to cross-site-scripting
  attacks.
  
  The vulnerability is actually imported from the facebook API
  JavaScript library [7], and will affect any other JavaScript code
  that relies on that library.

The following two are somewhat more shy with respect to the holes
they blow into the dashboard's JavaScript sandbox, and therefore a
bit less interesting:

- The Hockey widget [3], currently presented as an Apple Staff Pick
  on [4], performs a lot of screen -- or rather, script -- scraping.
  Here's a little gem:

	var xmlResponse = xmlRequest.responseText;
	xmlResponse = xmlResponse.replace(/[\n\r]/g,"");
	var NHLatl = null;
	var gameData = xmlResponse.match(/script[^<]*var NHLatl.*?<\/script>/)[0].replace(/.*?var /,"").replace(/,\s*myScoresIcon.*/,"}");
	eval(gameData);

  So, for a change, the threat is not due to JSON, but due to the
  use of eval to extract data from JavaScript embedded with some Web
  page out there.
   
  The privileges gaied with this one are a bit boring, as it's only
  the ability to go out on the network.  But wait for the day on
  which AllowSystem is added in order to get Growl notifications of
  recent results!

- The Flickr Interestingness widget [5] (unfortunately, these folks
  don't give a contact e-mail address) uses JSON with eval to check
  for the availability of upgrades, and to fetch data from the
  flickr API.
  
  This widget comes with the AllowInternetPlugins privilege, and is
  therefore another vector through which one could exercise, say,
  the latest QuickTime vulnerability. [6]

0. http://log.does-not-exist.org/archives/2007/12/03/2155_json_eval_owning_the_dashboard.html
1. http://www.securityfocus.com/archive/1/484542/30/0/threaded
2. http://www.apple.com/downloads/dashboard/email_messaging/facebookwidget.html
3. http://www.apple.com/downloads/dashboard/sports/hockeywidget.html
4. http://www.apple.com/downloads/dashboard/
5. http://www.apple.com/downloads/dashboard/blogs_forums/flickrinterestingness.html
6. http://www.securityfocus.com/bid/26549
7. http://developersdigest.org/wordpress/?page_id=4

Cheers,
-- 
Thomas Roessler, W3C  <tlr@...org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ