AOH :: HP Unsorted F :: BT-21553.HTM

Feed Sidebar Firefox Extension - Privileged Code Injection
Feed Sidebar Firefox Extension - Privileged Code Injection
Feed Sidebar Firefox Extension - Privileged Code Injection

     (    , )     (,
  .   `.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .`), ) _ _,
 /  _____/  / _  \    ____  ____   _____  
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq


Feed Sidebar Firefox Extension Code Injection Vulnerability
Versions affected: < 3.2


The Feed Sidebar Firefox extension will generate a
preview of any RSS item, from feeds you have currently
 subscribed to. discovered
that Feed Sidebar is vulnerable to multiple injection
vulnerabilities which can be exploited through a
malicious RSS feed. Cross-Site Scripting and HTML
injection vulnerabilities were discovered within the
RSS  tags of subscribed feeds.

Feed Sidebar directly evaluates remotely supplied
content, within the privileged chrome context. This
occurs when a user clicks on a feed item in the Feed
Sidebar, rendering a preview of the feed item at the
bottom of the sidebar. This can allow a remote feed
to exploit users browsing it, and may lead to the
complete compromise of the host.


This vulnerability can be exploited in several ways.
As the injection point is in the chrome privileged
browser zone, it is possible to bypass Same Origin
Policy (SOP) protections, and also access Mozilla
built-in XPCOM components. XPCOM components can be
used to read and write from the file system, as well
as execute arbitrary commands, steal stored passwords,
 or modify other Firefox extensions.

+--------+ follows responsible disclosure
and promptly contacted the developer after discovering
the issue. The developer was contacted on March 4,
2009, and a response was received on the following day.
A fix was released on March 14, 2009.  

The vendor supplied patch is available from Mozilla
or from the developer=E2=80=99s personal website, 


Discovered and advised to the Feed Sidebar developer
March 2009 by Nick Freeman of
Contact: Nick Freeman \\AT\\ security-assess\m/
Personal Page: 

For full details regarding this vulnerability
(including a detailed proof of concept exploit)
download the PDF from our website: 

For more details regarding exploitation of Firefox
extensions, refer to our DEFCON 17 presentation at is a New Zealand based world
leader in web application testing, network security
and penetration testing.
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH
We do not send spam. If you have received spam bearing an email address, please forward it with full headers to