Sage allows changes to NoScript settings

General discussion about the NoScript extension for Firefox
Post Reply
User avatar
therube
Ambassador
Posts: 7518
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Sage allows changes to NoScript settings

Post by therube » Wed Nov 25, 2009 4:24 am

Just to point out ... (& unconfirmed by me) ...


Zero-day Flaws in Firefox Extensions Found - dslreports.com

"A flaw in Sage, for instance, allows a malicious RSS feed to change your NoScript settings, adding sites to NoScript's whitelist."

http://www.dslreports.com/forum/r23387213-Zeroday-Flaws-in-Firefox-Extensions-Found

AMO: Sage 1.4.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.6pre) Gecko/20091123 SeaMonkey/2.0.1pre

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Sage allows changes to NoScript settings

Post by Alan Baxter » Wed Nov 25, 2009 6:00 am

Posted 20 Nov 2009 02:11 pm MST (UTC-7)
Extension vulnerability debacle (Sage) • mozillaZine Forums
colfer wrote:Sage 1.4.3, the current version available at addons.mozilla.org, https://addons.mozilla.org/en-US/firefox/addon/77 , has had a known serious vulnerability for 1.5 years. Now it has been publicized on Slashdot, yet the extension is still avalable at a.m.o. with the slightest of warnings ("Let me install this experimental add-on"). This is wrong, wrong.

http://it.slashdot.org/story/09/11/20/1 ... Extensions
http://www.net-security.org/secworld.php?id=8527

The author of the extension has been repeatedly told by Mozilla's people on Bugzilla how to fix the problem, which allows malicious RSS feeds to control the browser's chrome and own the user's computer, but he continues to apply half fixes in order to allow better "user experience". The Mozilla people continue to allow him to delay applying a real fix, and meanwhile allow the extension to stay on a.m.o with the checkbox warning!

Questions:
* Why should a.m.o. host this sort of flawed extension, however popular?
* Can Mozilla actively disable this extension if installed, or is that only for bad plugins?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5

Post Reply