InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

NoScript XSS error in v2.0.9.2

https://forums.informaction.com/viewtopic.php?t=5619

Page 1 of 1

NoScript XSS error in v2.0.9.2

Posted: Mon Jan 03, 2011 9:55 pm
by tyraarane
Since upgrading to v2.0.9.2 of NoScript this morning, I've been unable to login to my account at money.strands.com--clicking on their login button produces no results at all. At first I thought it was an error on their end, but checking FF 3.6.13's error console gave me this lengthy message. It appears whenever I click "login" on money.strands.com.

Code: Select all

[NoScript XSS] xss.reason.ReferenceError: whole is not defined --- ("//openid/?openid.ns=http://specs.openid.net/auth/2.0&openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select&openid.identity=http://specs.openid.net/auth/2.0/identifier_select&openid.return_to=https://money.strands.com/moneystrands/sAuthResp.action&openid.realm=https://*.strands.com/&openid.assoc_handle={HMAC-SHA256}{4d1b65c8}{+vM6wA==}&openid.mode=checkid_setup&openid.ns.ext1=http://openid.net/srv/ax/1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http://id.strands.com/schema/common/email&openid.ext1.type.dob=http://id.strands.com/schema/common/dob&openid.ext1.type.gender=http://id.strands.com/schema/common/gender&openid.ext1.required=email,dob,gender&openid.ns.ext2=http://specs.openid.net/extensions/pape/1.0&openid.ext2.preferred_auth_policies=http://id.strands.com/schema/openid/pape/StrongPassword&openid.ext2.max_auth_age=0&referrer=moneystrands&language=en")@chrome://noscript/content/RequestWatchdog.js:1151
InjectionChecker_checkJSBreak("///openid/?openid.ns=http://specs.openid.net/auth/2.0&openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select&openid.identity=http://specs.openid.net/auth/2.0/identifier_select&openid.return_to=https://money.strands.com/moneystrands/sAuthResp.action&openid.realm=https://*.strands.com/&openid.assoc_handle={HMAC-SHA256}{4d1b65c8}{+vM6wA==}&openid.mode=checkid_setup&openid.ns.ext1=http://openid.net/srv/ax/1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http://id.strands.com/schema/common/email&openid.ext1.type.dob=http://id.strands.com/schema/common/dob&openid.ext1.type.gender=http://id.strands.com/schema/common/gender&openid.ext1.required=email,dob,gender&openid.ns.ext2=http://specs.openid.net/extensions/pape/1.0&openid.ext2.preferred_auth_policies=http://id.strands.com/schema/openid/pape/StrongPassword&openid.ext2.max_auth_age=0&referrer=moneystrands&language=en")@chrome://noscript/content/RequestWatchdog.js:1288
("///openid/?openid.ns=http://specs.openid.net/auth/2.0&openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select&openid.identity=http://specs.openid.net/auth/2.0/identifier_select&openid.return_to=https://money.strands.com/moneystrands/sAuthResp.action&openid.realm=https://*.strands.com/&openid.assoc_handle={HMAC-SHA256}{4d1b65c8}{+vM6wA==}&openid.mode=checkid_setup&openid.ns.ext1=http://openid.net/srv/ax/1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http://id.strands.com/schema/common/email&openid.ext1.type.dob=http://id.strands.com/schema/common/dob&openid.ext1.type.gender=http://id.strands.com/schema/common/gender&openid.ext1.required=email,dob,gender&openid.ns.ext2=http://specs.openid.net/extensions/pape/1.0&openid.ext2.preferred_auth_policies=http://id.strands.com/schema/openid/pape/StrongPassword&openid.ext2.max_auth_age=0&referrer=moneystrands&language=en")@chrome://noscript/content/RequestWatchdog.js:1507
("///openid/?openid.ns=http://specs.openid.net/auth/2.0&openid.claimed_id=http://specs.openid.net/auth/2.0/identifier_select&openid.identity=http://specs.openid.net/auth/2.0/identifier_select&openid.return_to=https://money.strands.com/moneystrands/sAuthResp.action&openid.realm=https://*.strands.com/&openid.assoc_handle={HMAC-SHA256}{4d1b65c8}{+vM6wA==}&openid.mode=checkid_setup&openid.ns.ext1=http://openid.net/srv/ax/1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http://id.strands.com/schema/common/email&openid.ext1.type.dob=http://id.strands.com/schema/common/dob&openid.ext1.type.gender=http://id.strands.com/schema/common/gender&openid.ext1.required=email,dob,gender&openid.ns.ext2=http://specs.openid.net/extensions/pape/1.0&openid.ext2.preferred_auth_policies=http://id.strands.com/schema/openid/pape/StrongPassword&openid.ext2.max_auth_age=0&referrer=moneystrands&language=en",2)@chrome://noscript/content/RequestWatchdog.js:1717
("///openid/?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=https%3A%2F%2Fmoney.strands.com%2Fmoneystrands%2FsAuthResp.action&openid.realm=https%3A%2F%2F*.strands.com%2F&openid.assoc_handle=%7BHMAC-SHA256%7D%7B4d1b65c8%7D%7B%2BvM6wA%3D%3D%7D&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http%3A%2F%2Fid.strands.com%2Fschema%2Fcommon%2Femail&openid.ext1.type.dob=http%3A%2F%2Fid.strands.com%2Fschema%2Fcommon%2Fdob&openid.ext1.type.gender=http%3A%2F%2Fid.strands.com%2Fschema%2Fcommon%2Fgender&openid.ext1.required=email%2Cdob%2Cgender&openid.ns.ext2=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.ext2.preferred_auth_policies=http%3A%2F%2Fid.strands.com%2Fschema%2Fopenid%2Fpape%2FStrongPassword&openid.ext2.max_auth_age=0&referrer=moneystrands&language=en",2)@chrome://noscript/content/RequestWatchdog.js:1740
("///openid/?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=https%3A%2F%2Fmoney.strands.com%2Fmoneystrands%2FsAuthResp.action&openid.realm=https%3A%2F%2F*.strands.com%2F&openid.assoc_handle=%7BHMAC-SHA256%7D%7B4d1b65c8%7D%7B%2BvM6wA%3D%3D%7D&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http%3A%2F%2Fid.strands.com%2Fschema%2Fcommon%2Femail&openid.ext1.type.dob=http%3A%2F%2Fid.strands.com%2Fschema%2Fcommon%2Fdob&openid.ext1.type.gender=http%3A%2F%2Fid.strands.com%2Fschema%2Fcommon%2Fgender&openid.ext1.required=email%2Cdob%2Cgender&openid.ns.ext2=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.ext2.preferred_auth_policies=http%3A%2F%2Fid.strands.com%2Fschema%2Fopenid%2Fpape%2FStrongPassword&openid.ext2.max_auth_age=0&referrer=moneystrands&language=en")@chrome://noscript/content/RequestWatchdog.js:1711
("///openid/?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.return_to=https%3A%2F%2Fmoney.strands.com%2Fmoneystrands%2FsAuthResp.action&openid.realm=https%3A%2F%2F*.strands.com%2F&openid.assoc_handle=%7BHMAC-SHA256%7D%7B4d1b65c8%7D%7B%2BvM6wA%3D%3D%7D&openid.mode=checkid_setup&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_request&openid.ext1.type.email=http%3A%2F%2Fid.strands.com%2Fschema%2Fcommon%2Femail&openid.ext1.type.dob=http%3A%2F%2Fid.strands.com%2Fschema%2Fcommon%2Fdob&openid.ext1.type.gender=http%3A%2F%2Fid.strands.com%2Fschema%2Fcommon%2Fgender&openid.ext1.required=email%2Cdob%2Cgender&openid.ns.ext2=http%3A%2F%2Fspecs.openid.net%2Fextensions%2Fpape%2F1.0&openid.ext2.preferred_auth_policies=http%3A%2F%2Fid.strands.com%2Fschema%2Fopenid%2Fpape%2FStrongPassword&openid.ext2.max_auth_age=0&referrer=moneystrands&language=en")@chrome://noscript/content/RequestWatchdog.js:1682
([object Object])@chrome://noscript/content/RequestWatchdog.js:663
()@chrome://noscript/content/RequestWatchdog.js:77
((function () {return this.filterXSS(abeReq);}),[object Object])@chrome://noscript/content/RequestWatchdog.js:2323
([object XPCWrappedNative_NoHelper],"http-on-modify-request",null)@chrome://noscript/content/RequestWatchdog.js:78
So...does this mean the problem is with NoScript, or is the trouble still on Strands' end? And is there a way to downgrade to an older version of NoScript? I don't want to outright disable it, and I don't want to use IE, either...but I need to get to my financial info somehow! ;)

Re: NoScript XSS error in v2.0.9.2

Posted: Mon Jan 03, 2011 10:10 pm
by Giorgio Maone
It's a known issue fixed in latest development build.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited