Microsoft .NET Framework CVE-2011-3415表单验证URI伪造漏洞

日期: 2011/12/31 | 标签: | 游览:501

漏洞起因
设计错误
危险等级

影响系统
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.0
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 2.0 SP2
Microsoft .NET Framework 2.0 SP1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 1.1 SP1

不受影响系统

危害
远程攻击者可以利用漏洞重定向用户连接,获得敏感信息。

攻击所需条件
攻击者必须构建特制链接,诱使用户解析。

漏洞信息
Microsoft .NET Framework是一个流行的软件开发工具包。
在表单验证处理过程中.NET Framework校验URLs存在伪造漏洞,成功利用此漏洞的攻击者可以在用户不知情的情况下,将用户重定向到攻击者选择的网站。然后攻击者可以进行钓鱼攻击获得用户不想泄露的敏感信息。

测试方法

厂商解决方案
用户可参考如下供应商提供的安全补丁:
Microsoft .NET Framework 3.5 SP1
Microsoft Security Update for Microsoft .NET Framework 3.5 Service Pack 1 on Windows XP, Windows Server 2003,
http://www.microsoft.com/downloads/details.aspx?familyid=306acd0a-bea2 -40dd-a639-f381587c9eb7
Microsoft Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 and Windows Server 2008 R2
http://www.microsoft.com/downloads/details.aspx?familyid=2de28d32-1efd -4177-82e6-19a08266096c
Microsoft Security Update for Microsoft .NET Framework 3.5.1 on Windows 7 Service Pack 1 and Windows Server 20
http://www.microsoft.com/downloads/details.aspx?familyid=26e0b56d-9228 -49cf-9276-0741257567a9
Microsoft .NET Framework 2.0 SP2
Microsoft Security Update for Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2003 and Windows X
http://www.microsoft.com/downloads/details.aspx?familyid=eff633f7-abd9 -45cc-acbd-4885123dbed2
Microsoft Security Update for Microsoft .NET Framework 2.0 Service Pack 2 on Windows Vista Service Pack 2 and
http://www.microsoft.com/downloads/details.aspx?familyid=49050cf2-949a -40e5-b2ee-6257a3837294
Microsoft .NET Framework 4.0
Microsoft Security Update for Microsoft .NET Framework 4
http://www.microsoft.com/downloads/details.aspx?familyid=37a8fb34-e3ad -4605-980b-28361889ce72
Microsoft .NET Framework 1.1 SP1
Microsoft Security Update for Microsoft .NET Framework 1.1 Service Pack 1 on Windows Server 2003 Service Pack
http://www.microsoft.com/downloads/details.aspx?familyid=7538762a-50e9 -4f13-a60e-ff99aa8fbbf8
Microsoft Security Update for Microsoft .NET Framework 1.1 Service Pack 1 on Windows XP, Windows Server 2003 (
http://www.microsoft.com/downloads/details.aspx?familyid=471e1f51-c79c -4285-9f1e-aee1e4c4f189

漏洞提供者
Microsoft

评论关闭。