BUGTRAQ ID: 33803
CVE(CAN) ID: CVE-2009-0419
Microsoft XML Core Services(MSXML)允许使用JScript、VBScript和Visual Studio 6.0的用户开发基于XML的应用,以与其他遵循XML 1.0标准的应用程序交互操作。
Microsoft XML Core Services没有正确地限制网页对Set-Cookie2 HTTP响应头的访问,远程攻击者可以通过XMLHttpRequest调用绕过HTTPOnly保护机制读取敏感信息。
Microsoft XML Core Services 6.0
Microsoft XML Core Services 5.0
Microsoft XML Core Services 4.0
Microsoft XML Core Services 3.0
厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
<a href=“http://www.microsoft.com/technet/security/” target=“_blank”>http://www.microsoft.com/technet/security/</a>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=380418
+-->
+<head>
+ <title>Test for Bug 380418</title>
+ <script type="text/javascript" src="/MochiKit/MochiKit.js"></script>
+ <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=380418">Mozilla Bug 380418</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test">
+<script class="testbody" type="text/javascript">
+
+/** Test for Bug 380418 **/
+
+SimpleTest.waitForExplicitFinish();
+
+var request = new XMLHttpRequest();
+request.open("GET", window.location.href, false);
+request.send(null);
+
+// Add fake Set-Cookie and X-Dummy response headers
+netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect UniversalBrowserRead");
+var channel = request.channel.QueryInterface(Components.interfaces.nsIHttpChannel);
+channel.setResponseHeader("Set-Cookie", "test", false);
+channel.setResponseHeader("X-Dummy", "test", false);
+
+// Try reading headers in privileged context
+is(request.getResponseHeader("Set-Cookie"), "test", "Reading Set-Cookie response header in privileged context");
+is(request.getResponseHeader("X-Dummy"), "test", "Reading X-Dummy response header in privileged context");
+
+ok(/\bSet-Cookie:/i.test(request.getAllResponseHeaders()), "Looking for Set-Cookie in all response headers in privileged context");
+ok(/\bX-Dummy:/i.test(request.getAllResponseHeaders()), "Looking for X-Dummy in all response headers in privileged context");
+
+// Try reading headers in unprivileged context
+setTimeout(function() {
+ is(request.getResponseHeader("Set-Cookie"), null, "Reading Set-Cookie response header in unprivileged context");
+ is(request.getResponseHeader("X-Dummy"), "test", "Reading X-Dummy response header in unprivileged context");
+
+ ok(!/\bSet-Cookie:/i.test(request.getAllResponseHeaders()), "Looking for Set-Cookie in all response headers in unprivileged context");
+ ok(/\bX-Dummy:/i.test(request.getAllResponseHeaders()), "Looking for X-Dummy in all response headers in unprivileged context");
+
+ SimpleTest.finish();
+}, 0);
+
+</script>
+</pre>
+</body>
+</html>