您的位置:首页 > Web前端 > JavaScript

Mozilla Firefox 3.6 window.location对象非授权数据访问漏洞

2010-03-25 08:17 405 查看
 

影响版本:

Mozilla Firefox 3.6


漏洞描述:

CVE ID: CVE-2010-0170

Firefox是一款流行的开源WEB浏览器。

由于开发了新的机制来强制窗口与帧之间的同源策略,Firefox 3.6的浏览器引擎将window.location对象更改为正常的可覆盖

JavaScript对象。但一些插件也使用这个对象判断页面来源以实施访问限制,因此恶意网页可以通过覆盖这个对象欺骗插件允许

到其他站点或本地文件系统上数据的访问。


参考
http://www.mozilla.org/security/announce/2010/mfsa2010-10.html
https://bugzilla.mozilla.org/show_bug.cgi?format=multiple&id=541530

测试方法:

<!DOCTYPE html>
<html>
<!-- https://bugzilla.mozilla.org/show_bug.cgi?id=541530 -->
<head>
<title>Test for Bug 411103</title>
</head>
<body>
<pre id="test">
<script class="testbody" type="text/javascript">

var passed = true;
function ok(test, message) {
if (!test) {
alert("FAIL: " + message);
passed = false;
}
}

var orig = window;
window = {};

var origLocation = location;

ok(window === orig, "can't override window");
ok(window.location === location, "properties are properly aliased");
ok(document.location === location, "properties are properly aliased");

try {
__defineGetter__('window', function() {});
ok(false, "should not be able to defineGetter(window)");
} catch (e) {
}

try {
window.__defineGetter__('location', function(){});
ok(false, "should not be able to defineGetter(window.location)");
} catch (e) {
}

try {
window.location.__defineGetter__('href', function(){});
ok(false, "shouldn't be able to override location.href");
} catch (e) {
}

try {
window.location.__proto__.__defineGetter__('href', function(){});
ok(false, "shouldn't be able to use the prototype");
} catch (e) {
}

try {
window.location.__defineSetter__('href', function(){});
ok(false, "overrode a setter for location.href?");
} catch (e) {
}

try {
document.__defineGetter__('location', function(){});
ok(false, "shouldn't be able to override document.location");
} catch (e) {
}

location.watch('href', function() {
return "javascript:ok(false, 'shouldn't be able to use watchpoints to mess things up')"
});

ok(window === orig, "can't override window");
ok(window.location === origLocation, "properties are properly aliased");
ok(document.location === origLocation, "properties are properly aliased");

location.href = 'javascript:ok(true, "was able to set location.href through a watchpoint")';

alert(passed ? "All tests passed" : "FAILED!");

</script>
</pre>
</body>
</html>


 
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签:  firefox mozilla properties function javascript
相关文章推荐
新的分享
章节导航