Mozilla Firefox Firebug Extension - Cross-Zone Scripting Vulnerability

Saturday, 7 April 2007

Firebug is a very powerful JavaScript debugger for Firefox but not only. I love Firebug. It has tones of useful features like a dynamic console, DOM tree explorer, CSS viewer/editor, script explorer and my favourite network monitor where I can see all Flash, XMLHttpRequest, JS and Image requests.

Firebug is mainly used by web developers to trace bugs in their code but it can also be used from security guys like me to find and explore various browser and remote site vulnerabilities. Firebug is my best buddy. I even partially based Technika, the bookmarklets powertool, on the top of Firebug.

Unfortunately, Firebug suffers from rather simple but quite dangerous vulnerability. I have discussed the issues that browsers like Firefox, Opera, IE and Safary face these days on this web site. In general, these browsers try their best to prevent common vulnerabilities from crippling into their source code. However, that’s not the case with browser extensions. Very often, browser extension authors do not consider the security aspects of their work that much. Because of this, vulnerabilities occur. Believe me or not, the next wave of browser attacks will target exactly that.

In this post I am going to disclose a vulnerability for Firebug which can be used by attackers to gain control of every system where the extension is installed. Of course, the user needs to visit a malicious page first, which means that the attack surface is greatly reduced. However, given the fact that the largest user base of the Firefox browser are geeks and Firebug is a top extension at, attackers can cause quite a lot of trouble.

The vulnerability is of a type Cross-zone or Cross-context scripting, where a script from a web pages in injected inside the zone of the browser, also know as the chrome, or in the zone of the file: protocol. In both cases the result is quite devastating, although the second is a bit less critical then the first. Remote scripts in the browser are restricted by a sandbox. This means that everything that is prefixed with http: or https: is secure. Browser extensions make use of the chrome: protocol. This protocol is not restricted at all and everything is allowed. Therefor browser extensions are trusted. However if a remote script, tricks the browser into executing JavaScript expressions on chrome: then this script can take control of the entire chrome and also the underplaying operating system because then command execution and read/write file access are allowed.

In order to cause Cross-zone scripting in Firebug you need to do the following:


If you put this JavaScript expression into a page and open it with the browser while Firebug is on, you will be prompted with an alert box. This is not very interesting but there is a lot more you can do then that. For example, attackers can easily inject the following function into the browser chrome:

function runFile(f) {
var file = Components.classes[";1"]


var process = Components.classes[";1"]


var argv =, 1);, argv, argv.length);

The function runFile allows execution of files. With the function declaration in the browser chrome, attackers can call console.log a few more times to spawn any file they want or even silently install browser extensions, not to mention that they will be able to read and write the file system too. The possibilities for evilness are endless.

There is a catch though. The Cross-context scripting vector is very tiny. In order to exploit the vulnerability, I needed to go through some extreme things like dynamically composing the malicious payload in a string then evaluating the string content inside the chrome. I composed two Proof Concepts that you can try out. Check the top of this page.

It is highly recommended that you disable Firebug until this issue is fixed.

Original advisories:

Share this content:
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.