Mozilla Firefox 3.6
影响版本:
漏洞描述:
CVE ID: CVE-2010-0170 Firefox是一款流行的开源WEB浏览器。 由于开发了新的机制来强制窗口与帧之间的同源策略,Firefox 3.6的浏览器引擎将window.location对象更改为正常的可覆盖
JavaScript对象。但一些插件也使用这个对象判断页面来源以实施访问限制,因此恶意网页可以通过覆盖这个对象欺骗插件允许
到其他站点或本地文件系统上数据的访问。
参考
http://www.mozilla.org/security/announce/2010/mfsa2010-10.html
https://bugzilla.mozilla.org/show_bug.cgi?format=multiple&id=541530
测试方法:
<!DOCTYPE html> <html> <!-- https://bugzilla.mozilla.org/show_bug.cgi?id=541530 --> <head> <title>Test for Bug 411103</title> </head> <body> <pre id="test"> <script class="testbody" type="text/javascript"> var passed = true; function ok(test, message) { if (!test) { alert("FAIL: " + message); passed = false; } } var orig = window; window = {}; var origLocation = location; ok(window === orig, "can't override window"); ok(window.location === location, "properties are properly aliased"); ok(document.location === location, "properties are properly aliased"); try { __defineGetter__('window', function() {}); ok(false, "should not be able to defineGetter(window)"); } catch (e) { } try { window.__defineGetter__('location', function(){}); ok(false, "should not be able to defineGetter(window.location)"); } catch (e) { } try { window.location.__defineGetter__('href', function(){}); ok(false, "shouldn't be able to override location.href"); } catch (e) { } try { window.location.__proto__.__defineGetter__('href', function(){}); ok(false, "shouldn't be able to use the prototype"); } catch (e) { } try { window.location.__defineSetter__('href', function(){}); ok(false, "overrode a setter for location.href?"); } catch (e) { } try { document.__defineGetter__('location', function(){}); ok(false, "shouldn't be able to override document.location"); } catch (e) { } location.watch('href', function() { return "javascript:ok(false, 'shouldn't be able to use watchpoints to mess things up')" }); ok(window === orig, "can't override window"); ok(window.location === origLocation, "properties are properly aliased"); ok(document.location === origLocation, "properties are properly aliased"); location.href = 'javascript:ok(true, "was able to set location.href through a watchpoint")'; alert(passed ? "All tests passed" : "FAILED!"); </script> </pre> </body> </html>