安全研究
安全漏洞
Microsoft XML Core Services XMLHttpRequest SetCookie2头信息泄露漏洞
发布日期:2009-02-17
更新日期:2009-02-18
受影响系统:
Microsoft XML Core Services 6.0描述:
Microsoft XML Core Services 5.0
Microsoft XML Core Services 4.0
Microsoft XML Core Services 3.0
BUGTRAQ ID: 33803
CVE(CAN) ID: CVE-2009-0419
Microsoft XML Core Services(MSXML)允许使用JScript、VBScript和Visual Studio 6.0的用户开发基于XML的应用,以与其他遵循XML 1.0标准的应用程序交互操作。
Microsoft XML Core Services没有正确地限制网页对Set-Cookie2 HTTP响应头的访问,远程攻击者可以通过XMLHttpRequest调用绕过HTTPOnly保护机制读取敏感信息。
<*来源:Wladimir Palant
链接:https://bugzilla.mozilla.org/show_bug.cgi?format=multiple&id=380418
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=380418
+-->
+<head>
+ <title>Test for Bug 380418</title>
+ <script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
+ <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=380418">Mozilla Bug 380418</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Bug 380418 **/
+
+SimpleTest.waitForExplicitFinish();
+
+var request = new XMLHttpRequest();
+request.open("GET", window.location.href, false);
+request.send(null);
+
+// Add fake Set-Cookie and X-Dummy response headers
+netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect UniversalBrowserRead");
+var channel = request.channel.QueryInterface(Components.interfaces.nsIHttpChannel);
+channel.setResponseHeader("Set-Cookie", "test", false);
+channel.setResponseHeader("X-Dummy", "test", false);
+
+// Try reading headers in privileged context
+is(request.getResponseHeader("Set-Cookie"), "test", "Reading Set-Cookie response header in privileged context");
+is(request.getResponseHeader("X-Dummy"), "test", "Reading X-Dummy response header in privileged context");
+
+ok(/\bSet-Cookie:/i.test(request.getAllResponseHeaders()), "Looking for Set-Cookie in all response headers in privileged context");
+ok(/\bX-Dummy:/i.test(request.getAllResponseHeaders()), "Looking for X-Dummy in all response headers in privileged context");
+
+// Try reading headers in unprivileged context
+setTimeout(function() {
+ is(request.getResponseHeader("Set-Cookie"), null, "Reading Set-Cookie response header in unprivileged context");
+ is(request.getResponseHeader("X-Dummy"), "test", "Reading X-Dummy response header in unprivileged context");
+
+ ok(!/\bSet-Cookie:/i.test(request.getAllResponseHeaders()), "Looking for Set-Cookie in all response headers in unprivileged context");
+ ok(/\bX-Dummy:/i.test(request.getAllResponseHeaders()), "Looking for X-Dummy in all response headers in unprivileged context");
+
+ SimpleTest.finish();
+}, 0);
+
+</script>
+</pre>
+</body>
+</html>
建议:
厂商补丁:
Microsoft
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.microsoft.com/technet/security/
浏览次数:3439
严重程度:0(网友投票)
绿盟科技给您安全的保障