Mozilla Firefox 3.6 window.location对象非授权数据访问漏洞

最新推荐文章于 2024-09-17 11:42:54 发布

hrh2010

最新推荐文章于 2024-09-17 11:42:54 发布

阅读量494

点赞数

分类专栏：安全漏洞文章标签： firefox mozilla properties function javascript prototype

安全漏洞专栏收录该内容

5 篇文章 0 订阅

订阅专栏

影响版本:

Mozilla Firefox 3.6

漏洞描述:

CVE ID: CVE-2010-0170

Firefox是一款流行的开源WEB浏览器。

由于开发了新的机制来强制窗口与帧之间的同源策略，Firefox 3.6的浏览器引擎将window.location对象更改为正常的可覆盖

JavaScript对象。但一些插件也使用这个对象判断页面来源以实施访问限制，因此恶意网页可以通过覆盖这个对象欺骗插件允许

到其他站点或本地文件系统上数据的访问。

参考

http://www.mozilla.org/security/announce/2010/mfsa2010-10.html
https://bugzilla.mozilla.org/show_bug.cgi?format=multiple&id=541530

测试方法:

<!DOCTYPE html>
<html>
<!--
https://bugzilla.mozilla.org/show_bug.cgi?id=541530
-->
<head>
  <title>Test for Bug 411103</title>
</head>
<body>
<pre id="test">
<script class="testbody" type="text/javascript">

var passed = true;
function ok(test, message) {
    if (!test) {
        alert("FAIL: " + message);
        passed = false;
    }
}

var orig = window;
window = {};

var origLocation = location;

ok(window === orig, "can't override window");
ok(window.location === location, "properties are properly aliased");
ok(document.location === location, "properties are properly aliased");

try {
    __defineGetter__('window', function() {});
    ok(false, "should not be able to defineGetter(window)");
} catch (e) {
}

try {
    window.__defineGetter__('location', function(){});
    ok(false, "should not be able to defineGetter(window.location)");
} catch (e) {
}

try {
    window.location.__defineGetter__('href', function(){});
    ok(false, "shouldn't be able to override location.href");
} catch (e) {
}

try {
    window.location.__proto__.__defineGetter__('href', function(){});
    ok(false, "shouldn't be able to use the prototype");
} catch (e) {
}

try {
    window.location.__defineSetter__('href', function(){});
    ok(false, "overrode a setter for location.href?");
} catch (e) {
}

try {
    document.__defineGetter__('location', function(){});
    ok(false, "shouldn't be able to override document.location");
} catch (e) {
}

location.watch('href', function() {
                          return "javascript:ok(false, 'shouldn't be able to use watchpoints to mess things up')"
                       });

ok(window === orig, "can't override window");
ok(window.location === origLocation, "properties are properly aliased");
ok(document.location === origLocation, "properties are properly aliased");

location.href = 'javascript:ok(true, "was able to set location.href through a watchpoint")';

alert(passed ? "All tests passed" : "FAILED!");

</script>
</pre>
</body>
</html>