Lucene search
RootSSV:19335HistoryMar 24, 2010 - 12:00 a.m.
Mozilla Firefox 3.6 window.location对象非授权数据访问漏洞
2010-03-2400:00:00
Root
www.seebug.org
41
EPSS
0.003
Percentile
68.2%
CVE ID: CVE-2010-0170
Firefox是一款流行的开源WEB浏览器。
由于开发了新的机制来强制窗口与帧之间的同源策略,Firefox 3.6的浏览器引擎将window.location对象更改为正常的可覆盖JavaScript对象。但一些插件也使用这个对象判断页面来源以实施访问限制,因此恶意网页可以通过覆盖这个对象欺骗插件允许到其他站点或本地文件系统上数据的访问。
Mozilla Firefox 3.6
厂商补丁:
Mozilla
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
<!DOCTYPE html>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=541530
-->
<head>
<title>Test for Bug 411103</title>
</head>
<body>
<pre id="test">
<script class="testbody" type="text/javascript">
var passed = true;
function ok(test, message) {
if (!test) {
alert("FAIL: " + message);
passed = false;
}
}
var orig = window;
window = {};
var origLocation = location;
ok(window === orig, "can't override window");
ok(window.location === location, "properties are properly aliased");
ok(document.location === location, "properties are properly aliased");
try {
__defineGetter__('window', function() {});
ok(false, "should not be able to defineGetter(window)");
} catch (e) {
}
try {
window.__defineGetter__('location', function(){});
ok(false, "should not be able to defineGetter(window.location)");
} catch (e) {
}
try {
window.location.__defineGetter__('href', function(){});
ok(false, "shouldn't be able to override location.href");
} catch (e) {
}
try {
window.location.__proto__.__defineGetter__('href', function(){});
ok(false, "shouldn't be able to use the prototype");
} catch (e) {
}
try {
window.location.__defineSetter__('href', function(){});
ok(false, "overrode a setter for location.href?");
} catch (e) {
}
try {
document.__defineGetter__('location', function(){});
ok(false, "shouldn't be able to override document.location");
} catch (e) {
}
location.watch('href', function() {
return "javascript:ok(false, 'shouldn't be able to use watchpoints to mess things up')"
});
ok(window === orig, "can't override window");
ok(window.location === origLocation, "properties are properly aliased");
ok(document.location === origLocation, "properties are properly aliased");
location.href = 'javascript:ok(true, "was able to set location.href through a watchpoint")';
alert(passed ? "All tests passed" : "FAILED!");
</script>
</pre>
</body>
</html>
Related
prion
prion
Cross site scripting
2010-03-25 21:00:00
Design/Logic Flaw
2011-09-29 00:55:00
nvd
nvd
CVE-2010-0170
2010-03-25 21:00:00
CVE-2011-2999
2011-09-29 00:55:01
ubuntucve
ubuntucve
CVE-2010-0170
2010-03-25 00:00:00
CVE-2011-2999
2011-09-28 00:00:00
securityvulns
securityvulns
Mozilla Foundation Security Advisory 2010-10
2010-04-06 00:00:00
mozilla
mozilla
XSS via plugins and unprotected Location object — Mozilla
2010-03-23 00:00:00
cve
cve
CVE-2010-0170
2010-03-25 21:00:00
CVE-2011-2999
2011-09-29 00:55:01
cvelist
cvelist
CVE-2010-0170
2010-03-25 20:31:00
CVE-2011-2999
2011-09-29 00:00:00
openvas
openvas
Mozilla Firefox Multiple Vulnerabilities (Mar 2010) - Linux
2010-03-30 00:00:00
Firefox Multiple Vulnerabilities (Mar 2010) - Windows
2010-03-30 00:00:00
Firefox Multiple Vulnerabilities Mar-10 (Linux)
2010-03-30 00:00:00
nessus
nessus
Mandriva Linux Security Advisory : firefox (MDVSA-2011:139)
2011-10-03 00:00:00
Mandriva Linux Security Advisory : mozilla-thunderbird (MDVSA-2011:140)
2011-10-03 00:00:00
gentoo
gentoo
Mozilla Products: Multiple vulnerabilities
2013-01-08 00:00:00