关于我们 | 加入我们 | 网站结构 | 交换连接 | 联系我们
| 最新文档 | 技术文摘 | 安全漏洞 | 菜鸟乐园 | 黑客进阶 | 技术文库 | 软件下载 | 技术论坛 |
 您现在的位置 >> 返回首页 文档发表时间:2002-08-04

Internet Explorer的cookies泄漏漏洞 (阅览 次)

Internet Explorer的cookies泄漏漏洞

翻译:晓澜 <emile_liao@163.net>
   QQ: 42449970
   http://www.unsecret.org
---------------------------------------------


受影响系统:
Microsoft Internet Explorer 5.5 SP2
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Workstation
- Microsoft Windows 2000 Workstation SP1
- Microsoft Windows 2000 Workstation SP2
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0
- Microsoft Windows NT Terminal Server 4.0
Microsoft Internet Explorer 5.5 SP1
- Microsoft Windows 2000 Workstation
- Microsoft Windows 2000 Workstation SP1
- Microsoft Windows 2000 Workstation SP2
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6a
Microsoft Internet Explorer 5.5
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 95
- Microsoft Windows 98
+ Microsoft Windows ME
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6a
Microsoft Internet Explorer 6.0
- Microsoft Windows 2000 Workstation
- Microsoft Windows 2000 Workstation SP1
- Microsoft Windows 2000 Workstation SP2
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows ME
- Microsoft Windows NT 4.0 SP6a


漏洞描述:

Microsoft Internet Explorer处理cookies内含的脚本时有一个漏洞。由于cookies本身是被用户许可写入的网站的延伸,尽管是在Internet区域中,
但是仍然应该只允许访问属于网站域名下的cookie。

但是,某些版本的Internet Explorer认为所有的cookies资源都来自相同的区域。结果,cookie中的嵌入脚本代码就可以在本地电脑上访问所有cookies的资源了。

漏洞利用:
需要了解JavaScript 和 HTML的知识,但是不需要利用代码。

解决方法:
可以利用以下补丁:
Microsoft Internet Explorer 5.5 SP2:
Microsoft Patch q321232
http://download.microsoft.com/download/ie55sp2/secpac27/5.5_sp2/W98NT42KMe/EN-US/q321232.exe
Microsoft Internet Explorer 5.5 SP1:
Microsoft Patch q321232
http://download.microsoft.com/download/ie55sp1/secpac27/5.5_sp1/W98NT42KMe/EN-US/q321232.exe
Microsoft Internet Explorer 5.5:
Microsoft Internet Explorer 6.0:
Microsoft Patch q321232
http://download.microsoft.com/download/IE60/secpac27/6/W98NT42KMeXP/EN-US/q321232.exe

参考:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-023.asp

返回

建议您使用IE浏览器800×600以上分辩率浏览以获最佳效果

20CN网络安全小组版权所有
Copyright © 2000-2006 20CN Network Security Group. All Rights Reserved.
如有任何问题及建议请写信至 webmaster@20cn.net