安全研究
安全漏洞
Firefox window.location对象非授权数据访问漏洞
发布日期:2010-03-23
更新日期:2010-03-24
受影响系统:
Mozilla Firefox 3.6不受影响系统:
Mozilla Firefox 3.6.2描述:
BUGTRAQ ID: 38919
CVE(CAN) ID: CVE-2010-0170
Firefox是一款流行的开源WEB浏览器。
由于开发了新的机制来强制窗口与帧之间的同源策略,Firefox 3.6的浏览器引擎将window.location对象更改为正常的可覆盖JavaScript对象。但一些插件也使用这个对象判断页面来源以实施访问限制,因此恶意网页可以通过覆盖这个对象欺骗插件允许到其他站点或本地文件系统上数据的访问。
<*来源:Blake Kaplan
链接:http://www.mozilla.org/security/announce/2010/mfsa2010-10.html
https://bugzilla.mozilla.org/show_bug.cgi?format=multiple&id=541530
http://secunia.com/advisories/38608/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=541530
-->
<head>
<title>Test for Bug 411103</title>
</head>
<body>
<pre id="test">
<script class="testbody" type="text/javascript">
var passed = true;
function ok(test, message) {
if (!test) {
alert("FAIL: " + message);
passed = false;
}
}
var orig = window;
window = {};
var origLocation = location;
ok(window === orig, "can't override window");
ok(window.location === location, "properties are properly aliased");
ok(document.location === location, "properties are properly aliased");
try {
__defineGetter__('window', function() {});
ok(false, "should not be able to defineGetter(window)");
} catch (e) {
}
try {
window.__defineGetter__('location', function(){});
ok(false, "should not be able to defineGetter(window.location)");
} catch (e) {
}
try {
window.location.__defineGetter__('href', function(){});
ok(false, "shouldn't be able to override location.href");
} catch (e) {
}
try {
window.location.__proto__.__defineGetter__('href', function(){});
ok(false, "shouldn't be able to use the prototype");
} catch (e) {
}
try {
window.location.__defineSetter__('href', function(){});
ok(false, "overrode a setter for location.href?");
} catch (e) {
}
try {
document.__defineGetter__('location', function(){});
ok(false, "shouldn't be able to override document.location");
} catch (e) {
}
location.watch('href', function() {
return "javascript:ok(false, 'shouldn't be able to use watchpoints to mess things up')"
});
ok(window === orig, "can't override window");
ok(window.location === origLocation, "properties are properly aliased");
ok(document.location === origLocation, "properties are properly aliased");
location.href = 'javascript:ok(true, "was able to set location.href through a watchpoint")';
alert(passed ? "All tests passed" : "FAILED!");
</script>
</pre>
</body>
</html>
建议:
厂商补丁:
Mozilla
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.mozilla.org/
浏览次数:3052
严重程度:0(网友投票)
绿盟科技给您安全的保障