Firefox XPI Install Prevention Bypass.

Publicated on : 1180917546
Update: doesn't seem to be what it looks like, see comments below. I made the mistake by thinking this bypasses the security measures, but actually this is a "feature" of Mozilla. Not sure why it is though, But you can slap me now for not being totally concentrated on this thing :)

As you probably know, a direct Firefox XPI extension installation call is only allowed on addons.mozilla.org a few others, and sites you personally can set to be trusted. A pretty cool feature, but also annoying when I want to push an extension to someone. At the same time this is a dangerous hack that aims to bypass the Firefox extension installation security feature. I thought about streaming the extension of my server, and it seems that it worked. It appears that this security feature is really simple to bypass. The only thing you need to do is to add one line in your .htaccess file.

First I did try to set a few headers with PHP, but that wasn't working well:

The XPI installer is being called without any warning screen.
But, a PHP file will mess up Firefox.
header('Content-type: application/x-xpinstall');
header('Content-Disposition: inline; filename=spy.xpi');
header("Content-Transfer-Encoding: binaryn");
readfile('spy.xpi');
So then I simply wrote a line into my .htaccess:
AddType application/x-xpinstall .xpi
And that is where the magic begins. That's all there is to it to break this security feature. It seems that this security model kinda sucks, I'm not sure if it is a bug or not yet, because I just found out about it. It might not work for everyone because of caching and the way Firefox does content negotiation inside. But, it is a start to investigate this method some more.

How I found out

I inspected the headers that where send from Mozilla on the installation of an extension, they gave me the content-type I listed. So, I began to clone this behavior first with PHP and later on with the .htaccess rule.

Try it out, it should show the installation screen instantly:

http://www.0x000000.com/hacks/spy.xpi