Sage allows changes to NoScript settings

Post by **therube** » Wed Nov 25, 2009 4:24 am

Just to point out ... (& unconfirmed by me) ...

Zero-day Flaws in Firefox Extensions Found - dslreports.com

"A flaw in Sage, for instance, allows a malicious RSS feed to change your NoScript settings, adding sites to NoScript's whitelist."

http://www.dslreports.com/forum/r23387213-Zeroday-Flaws-in-Firefox-Extensions-Found

AMO: Sage 1.4.3

Post by **Alan Baxter** » Wed Nov 25, 2009 6:00 am

Posted 20 Nov 2009 02:11 pm MST (UTC-7)
Extension vulnerability debacle (Sage) • mozillaZine Forums

colfer wrote:Sage 1.4.3, the current version available at addons.mozilla.org, https://addons.mozilla.org/en-US/firefox/addon/77 , has had a known serious vulnerability for 1.5 years. Now it has been publicized on Slashdot, yet the extension is still avalable at a.m.o. with the slightest of warnings ("Let me install this experimental add-on"). This is wrong, wrong.

http://it.slashdot.org/story/09/11/20/1 ... Extensions
http://www.net-security.org/secworld.php?id=8527

The author of the extension has been repeatedly told by Mozilla's people on Bugzilla how to fix the problem, which allows malicious RSS feeds to control the browser's chrome and own the user's computer, but he continues to apply half fixes in order to allow better "user experience". The Mozilla people continue to allow him to delay applying a real fix, and meanwhile allow the extension to stay on a.m.o with the checkbox warning!

Questions:
* Why should a.m.o. host this sort of flawed extension, however popular?
* Can Mozilla actively disable this extension if installed, or is that only for bad plugins?

InformAction Forums

Sage allows changes to NoScript settings

Sage allows changes to NoScript settings

Re: Sage allows changes to NoScript settings