MozillaZine

[ext] NoScript 1.1.4.8 - The XSS Sniper

Announce and Discuss the Latest Theme and Extension Releases.
Alan Baxter
 
Posts: 4419
Joined: May 30th, 2005, 2:01 pm
Location: Colorado, USA

Post Posted May 16th, 2007, 10:00 am

I found the following post in the mozilla.support.firefox Usenet newsgroup. Thought you should know about it, Giorgio, so I've copied it here along with my reply. Is this a bug or false positive?
I've got NoScript installed in firefox, when I google a page with ',
ä, ü, ö, ß or something like that it the title NoScript deletes these
as a XSS attempt. I put my own page on the XSS whitelist but it seems
that the standard whitelist already contains wikipedia, and I still
have problems.

When I go to:
http://www.google.de/search?q=ANTM+%22A ... ipedia.org
and click the link, it calls:
http://en.wikipedia.org/wiki/America's_Next_Top_Model
this is change to
http://en.wikipedia.org/wiki/America_s_Next_Top_Model
firefox caches the reply for some reason and
http://en.wikipedia.org/wiki/America's_Next_Top_Model
goes on not working till I call for example a
http://en.wikipedia.org/wiki/America's_ ... tion=purge

The NoScript Console says:
[NoScript XSS] Sanitized suspicious request referer. URL [http://
en.wikipedia.org/wiki/America's_Next_Top_Model (REF:
http://www.google.de/search?q=america's ... =firefox-a)]
requested from [http://www.google.de/search?q=america's+next+top
+model&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-
US:official&client=firefox-a]. Sanitized Referrer: [http://
en.wikipedia.org/wiki/America's_Next_Top_Model].)

and

[NoScript XSS] Sanitized suspicious request. Original URL [http://
en.wikipedia.org/wiki/America's_Next_Top_Model] requested from [http://
www.google.de/search?q=america's+next+t ... =firefox-a].
Sanitized URL: [http://en.wikipedia.org/wiki/America
%20s_Next_Top_Model].)

My reply:
I get the same behavior too. google.de is not whitelisted.
wikipedia.org is whitelisted. Might be a bug in NoScript because the
sanitization is replacing the apostrophe with a space according to this
message NoScript put in the Error Console:
[NoScript XSS] Sanitized suspicious request. Original URL
[http://en.wikipedia.org/wiki/America's_Next_Top_Model] requested from
[http://www.google.de/search?q=ANTM+%22ANTM+redirects+here%22+site%3Aen.wikipedia.org].
Sanitized URL:
[http://en.wikipedia.org/wiki/America%20s_Next_Top_Model].

If you can, post this problem in the official NoScript topic in the
MozillaZine forums at
http://forums.mozillazine.org/viewtopic ... order=desc. The
developer of NoScript provides support for NoScript there. In the
meantime I'll post a copy of this problem there because I do think it's
something that the developer should know about.
--
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
NoScript 1.1.4.8.070502

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted May 16th, 2007, 10:28 am

@cericson46:
Since you mentioned a slow dialup connection and frames, I'm inclined to believe some external JavaScript file fails to load due to a network timeout, especially if the problem is intermittent.
Can I have an URL to test? Thanks!

@jdopple:
This may be related to the changes which made Linux build crash on some Flash intensive sites.
Even if you're not on Linux, could you try upgrading to 070502 and see if the problem persist?

@Alan:
this is not a bug, as single quote/apostrophe is actually one of the most dangerous XSS characters.
On the other hand, its usage in Wikipedia title URLs is probably safe, so you can just edit the NoScript Options|XSS|Anti-XSS Protection Exceptions removing the apostrophe from the last line:
^http://[a-z]+\.wikipedia\.org/wiki/[^"'<>\?%]+$
becomes
^http://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+$
Next NoScript version will use the latter regexp by default.
Thanks for your always timely reports :)

jdopple
 
Posts: 81
Joined: February 27th, 2005, 9:49 pm

Post Posted May 16th, 2007, 5:19 pm

Im using Win xp, and upgraded to the latest version.

So far, seems to have fixed that problem . Will report if I see it again.

jdopple
 
Posts: 81
Joined: February 27th, 2005, 9:49 pm

Post Posted May 16th, 2007, 5:34 pm

Sorry, still getting it. Heres a capture of what happened when I clicked on this link:


http://www.fatwallet.com/t/52/731851/

the black box lasts until the page fully loads. Enabling GLOBAL SCRIPTING cures the problem

Image
Last edited by jdopple on May 16th, 2007, 5:39 pm, edited 1 time in total.

ltsnow

User avatar
 
Posts: 1107
Joined: March 23rd, 2006, 1:49 pm
Location: Valdosta, GA

Post Posted May 16th, 2007, 5:38 pm

The "temporarily allow" function is no longer in my right-click context menu for the latest nightly of Minefield. It is still working fine in Firefox 2.0.0.5pre. Any thoughts?

ltsnow

User avatar
 
Posts: 1107
Joined: March 23rd, 2006, 1:49 pm
Location: Valdosta, GA

Post Posted May 16th, 2007, 5:45 pm

I see what's happening. The word "temporarily" is not present in Minefield, only italics. Why is this?

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted May 17th, 2007, 6:32 am

ltsnow wrote:I see what's happening. The word "temporarily" is not present in Minefield, only italics. Why is this?

Minefield bug, probably a regression caused by the fix to 53901.

@jdopple:
I've been able to reproduce and fix, just please wait for the next build. Many thanks for reporting :)

Aerik
 
Posts: 99
Joined: December 6th, 2006, 3:13 pm
Location: Shawnee, KS

Post Posted May 17th, 2007, 11:34 pm

This hasn't happened in a while, but file: disappeared from my whitelist. Other than that, this latest build has been pretty good to me.

niko322
 
Posts: 50
Joined: April 11th, 2007, 1:26 pm

Post Posted May 19th, 2007, 6:26 am

bug with 1.1.4.8.070502 ?

in ver 1.1.4.8.070429 change log its say

+ Shortcut to show NoScript menu works even if status bar icon and
toolbar button are both hidden

i try "ctrl shift s" when status bar its hidden and its not working...

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted May 19th, 2007, 4:03 pm

NoScript 1.1.4.8.070511 available here should fix all the issues reported so far, and adds a couple of extra safety preferences for links opened from external applications (XSS filtered by default) and from temporarily allowed sites (XSS filtered optionally), look at the changelog for details.

Please let me know if you find any outstanding regression, otherwise I'll merge the updated locales and make an AMO release in 12 hours.

@Aerik: can you check if file:// went in the untrusted blacklist by accident?

Thank you all :)

ltsnow

User avatar
 
Posts: 1107
Joined: March 23rd, 2006, 1:49 pm
Location: Valdosta, GA

Post Posted May 19th, 2007, 4:51 pm

Thanks for the update Giorgio and thanks for the acknowledgement in the changelog. The word "temporarily" now appears fine in Minefield.

Soul Stealer

User avatar
 
Posts: 480
Joined: March 31st, 2007, 1:18 pm
Location: God's Country

Post Posted May 19th, 2007, 5:07 pm

Just wanted to say thanks to Giorgio for all the work he puts into this script. :D


And, been to your corner of the world in my travels while in the U. S. Navy. :D
It's like I said.

Alan Baxter
 
Posts: 4419
Joined: May 30th, 2005, 2:01 pm
Location: Colorado, USA

Post Posted May 19th, 2007, 5:50 pm

It looks like NoScript 1.1.4.8.070511 has changed the default value for noscript.filterXGetRx to "[^\w:\/\.\-\+\*\=\(\)\[\]\{\}~,@;\|#]". I bet this corresponds to Better compatibility with Google Toolbar's translation service in the changelog. The only modification I had made to that pref was appending "\|" to it as you suggested in http://forums.mozillazine.org/viewtopic ... 63#2871963 . Of course the NoScript update did not replace my edited version with the new default, so I replaced it manually by resetting it in about.config. That was the right thing to do, wasn't it?
--
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
NoScript 1.1.4.8.070511

Giorgio Maone

User avatar
 
Posts: 3516
Joined: September 21st, 2004, 12:05 am
Location: Palermo - Italy

Post Posted May 20th, 2007, 2:30 am

Alan Baxter wrote:It looks like NoScript 1.1.4.8.070511 has changed the default value for noscript.filterXGetRx
[...]
I replaced it manually by resetting it in about.config. That was the right thing to do, wasn't it?

Yes it was, young Skywalker.

Nuttysman, hope you're home with your family now, bad times for traveling with U. S. Navy/Army.
Take care.

mamas6667
 
Posts: 2
Joined: May 20th, 2007, 4:06 am

Post Posted May 20th, 2007, 4:31 am

Mr Giorgio Maone
1st thank you for the nocript Extension, Excellent safety tool

- I will like to disable seeing "Allow XXX.com" or "Allow XXX.com"when I right click the nocript icon
- And only see the option "Temporarily allow XXX.com" or "Temporarily allow XXX.com"

I searched around, and found nothing, also tried changing some values in About:config noscript.show but I wasnt able to do it.

I know it's an odd request but i'm sure it can be done

Be well. :-)

Return to Extension/Theme Releases


Who is online

Users browsing this forum: No registered users and 2 guests