首页 -> 安全研究
安全研究
安全漏洞
Mozilla / Netscape 6 XMLHttpRequest文件泄露漏洞
发布日期:2002-04-30
更新日期:2002-05-08
受影响系统:
Mozilla Browser 1.0 RC1描述:
Mozilla Browser 0.9.9
Netscape Netscape 6.2.2
Mozilla Browser 0.9.7
- Apple MacOS 9.2.1
- Apple MacOS 9.2
- Apple MacOS 9.1
- Apple MacOS 9.0.4
- Apple MacOS 9.0
- Apple MacOS 10.1.2
- Apple MacOS 10.1.1
- Apple MacOS 10.1
- Apple MacOS 10.0.4
- Apple MacOS 10.0.3
- Apple MacOS 10.0.2
- Apple MacOS 10.0.1
- Apple MacOS 10.0
- Microsoft Windows XP
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows ME
- Microsoft Windows 98
- Microsoft Windows 95
Mozilla Browser 0.9.8
- Apple MacOS 9.2.1
- Apple MacOS 9.2
- Apple MacOS 9.1
- Apple MacOS 9.0.4
- Apple MacOS 9.0
- Apple MacOS 10.1.2
- Apple MacOS 10.1.1
- Apple MacOS 10.1
- Apple MacOS 10.0.4
- Apple MacOS 10.0.3
- Apple MacOS 10.0.2
- Apple MacOS 10.0.1
- Apple MacOS 10.0
- Microsoft Windows XP
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows ME
- Microsoft Windows 98
- Microsoft Windows 95
Netscape Netscape 6.1
- Apple MacOS 9.2.1
- Apple MacOS 9.2
- Apple MacOS 9.1
- Apple MacOS 9.0.4
- Apple MacOS 9.0
- Apple MacOS 10.1.2
- Apple MacOS 10.1.1
- Apple MacOS 10.1
- Apple MacOS 10.0.4
- Apple MacOS 10.0.3
- Apple MacOS 10.0.2
- Apple MacOS 10.0.1
- Apple MacOS 10.0
- Microsoft Windows XP
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
Netscape Netscape 6.2
- Apple MacOS 9.2.1
- Apple MacOS 9.2
- Apple MacOS 9.1
- Apple MacOS 9.0.4
- Apple MacOS 9.0
- Apple MacOS 10.1.2
- Apple MacOS 10.1.1
- Apple MacOS 10.1
- Apple MacOS 10.0.4
- Apple MacOS 10.0.3
- Apple MacOS 10.0.2
- Apple MacOS 10.0.1
- Apple MacOS 10.0
- Microsoft Windows XP
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
Netscape Netscape 6.2.1
- Apple MacOS 9.2.1
- Apple MacOS 9.2
- Apple MacOS 9.1
- Apple MacOS 9.0.4
- Apple MacOS 9.0
- Apple MacOS 10.1.2
- Apple MacOS 10.1.1
- Apple MacOS 10.1
- Apple MacOS 10.0.4
- Apple MacOS 10.0.3
- Apple MacOS 10.0.2
- Apple MacOS 10.0.1
- Apple MacOS 10.0
- Microsoft Windows XP
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
BUGTRAQ ID: 4628
CVE(CAN) ID: CVE-2002-0354
Mozilla是一款免费开放源代码的WEB浏览器,运行在多种Linux和Unix操作系统下,也可运行在MacOS和Microsoft Windows 9x/ME/NT/2000/XP操作系统下,Netscape是另一个款运行在多种系统平台下的流行的WEB浏览器。
Mozilla和Netscape 6在处理HTTP重定向到XMLHttpRequest对象时存在漏洞,可导致远程攻击者查看目标用户系统上的任意文件内容。
XMLHttpRequest对象允许一客户端机器通过HTTP请求获得XML文档。如果服务器响应这个HTTP请求重定向到用户本地的文件,就可以绕过安全检查并使文件可访问,造成敏感信息泄露。这可通过使用'open'模式打开一个重定向本地文件的WEB页面完成。
据报告,此问题也存在load模式使用在由DOMImplementation接口的createDocument模式建立的XML文档。
<*来源:GreyMagic Software (security@greymagic.com)
Thor Larholm (Thor@jubii.dk)
链接:http://archives.neohapsis.com/archives/bugtraq/2002-04/0409.html
*>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 不要用浏览器随意浏览不可信站点和页面。
厂商补丁:
Mozilla
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Mozilla Browser 0.9.7:
Mozilla Upgrade mozilla-source-1.0.rc1.tar.gz
http://ftp.mozilla.org/pub/mozilla/releases/mozilla1.0rc1/src/mozilla-source-1.0.rc1.tar.gz
Fixed if date is later than May 02, 2002.
Mozilla Browser 0.9.8:
Mozilla Upgrade mozilla-source-1.0.rc1.tar.gz
http://ftp.mozilla.org/pub/mozilla/releases/mozilla1.0rc1/src/mozilla-source-1.0.rc1.tar.gz
Fixed if date is later than May 02, 2002.
Mozilla Browser 0.9.9:
Mozilla Upgrade mozilla-source-1.0.rc1.tar.gz
http://ftp.mozilla.org/pub/mozilla/releases/mozilla1.0rc1/src/mozilla-source-1.0.rc1.tar.gz
Fixed if date is later than May 02, 2002.
Mozilla Browser 1.0 RC1:
Mozilla Upgrade mozilla-source-1.0.rc1.tar.gz
http://ftp.mozilla.org/pub/mozilla/releases/mozilla1.0rc1/src/mozilla-source-1.0.rc1.tar.gz
Fixed if date is later than May 02, 2002.
Netscape
--------
目前Netscape厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.netscape.com
浏览次数:2885
严重程度:0(网友投票)
绿盟科技给您安全的保障