- Äɲ䵤줿¹Ô¤Ï¤³¤Î¿§¤Ç¤¹¡£
- ºï½ü¤µ¤ì¤¿¹Ô¤Ï¤³¤Î¿§¤Ç¤¹¡£
[[IE ¤Ë¤ª¤±¤ë "expression" ¤Î²á¾ê¸¡½Ð¤Ë¤è¤ë XSS ¤Î Ͷ°ø>http://archive.openmya.devnull.jp/2006.08/msg00369.html]]
¤¬³Æ½ê¤Ç¸ÀµÚ¤µ¤ì¤Æ¤¤¤Þ¤¹¡£
#pgid
[[[openmya:035806] IE ¤Ë¤ª¤±¤ë "expression" ¤Î²á¾ê¸¡½Ð¤Ë¤è¤ë XSS ¤Î Ͷ°ø>http://archive.openmya.devnull.jp/2006.08/msg00369.html]]
¤¬³Æ½ê¤Ç¸ÀµÚ¤µ¤ì¤Æ¤¤¤Þ¤¹¡£
http://cl.pocari.org/2006-08-31-1.html~
http://d.hatena.ne.jp/hasegawayosuke/20060831/p4
#blikimore
°Ê²¼¡¢°úÍÑ¡£
IE ¤Ç¤Ï¡¢°Ê²¼¤Î¤è¤¦¤Ê¥¹¥¿¥¤¥ë¤òµ½Ò¤¹¤ë¤³¤È¤Ç¡¢JavaScript ¤òÆ°ºî¤µ¤»¤ë
¤³¤È¤¬²Äǽ¤Ç¤¹¡£
1) <style>¥Ö¥í¥Ã¥¯Æâ¤Ç¤ÎÄêµÁ
<style>input { left:expression( alert('xss') ) } </style>
2) ¥¤¥ó¥é¥¤¥ó¤Ç¤Î¥¹¥¿¥¤¥ëÄêµÁ
<div style="{ left:expression( alert('xss') ) }">
3) ¥³¥á¥ó¥È¤ÎÁÞÆþ
<div style="{ left:exp/* */ression( alert('xss') ) }">
4) ¥Ð¥Ã¥¯¥¹¥é¥Ã¥·¥å¤Ç¤Î¥³¡¼¥É¥Ý¥¤¥ó¥È»ØÄê
<div style="{ left:\0065\0078pression( alert('xss') ) }">
5) ¼ÂÂλ²¾È
¥¤¥ó¥é¥¤¥ó¤Ç¤Î¥¹¥¿¥¤¥ëÄêµÁ¤Ç¤Ï¡¢¼ÂÂλ²¾È¤¬ÍøÍѲÄǽ¤Ç¤¹¡£
<div style="{ left:expression( alert('xss') ) }">
6) Á´³Ñʸ»ú
<div style="{ left:£å£ø£ð£ò£å£ó£ó£é£ï£î( alert('xss') ) }">
7) ÆÃÄê¤ÎUnicodeʸ»ú
<div style="{ left:exp£Òessio£Î( alert('xss') ) }">
£Ò ¤Ï U+0280¡¢£Î ¤Ï U+0274 ¤Þ¤¿¤Ï U+207F ¤¬ÍøÍѲÄǽ¤Ç¤¹¡£
¾åµ 1) , 7) ¤ÏÁê¸ß¤ËÁȤ߹ç¤ï¤»¤Æɽµ¤¹¤ë¤³¤È¤â²Äǽ¤Ç¤¹¡£
¤Þ¤¿¡¢6) ¤ª¤è¤Ó 7) ¤Ï¡¢IE7 RC1 ¤Ç¤ÏÆ°ºî¤·¤Þ¤»¤ó¡£
Á´³Ñʸ»ú¤ä¥³¥á¥ó¥ÈÁÞÆþ»þ¤âExecute¤µ¤ì¤Æ¤·¤Þ¤¦¤Î¤ÇÍ×Ãí°Õ¤Ç¤¹¤Í¡£~
¤Ç¤â¡¢¤½¤â¤½¤â³°ÉôÆþÎÏÃͤò¤½¤Î¤Þ¤ÞHTML¥¿¥°¤Î°ÀÃͤȤ·¤ÆÁȤ߹þ¤ó¤Ç½ÐÎϤ¹¤ëÀß·×¼«ÂΤ¬NG¤Ç¤¹¡£HTML¤ò¥¿¥°¤Î°ÀÃͤòưŪ¤ËÁȤßΩ¤Æ¤Æ½ÐÎϤ·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¤Î¤Ç¤¢¤ì¤Ð¡¢HTML¥«¥¹¥¿¥à¥¿¥°¤òÄêµÁ¤·¤Æ¡¢¤½¤Î¥«¥¹¥¿¥à¥¿¥°¤òÆȼ«¤Ë²ò¼á¤¹¤ë¥¸¥§¥Í¥ì¡¼¥¿¤òÄ̤·¤Æµö²Ä¤·¤¿¥¿¥°¡¦Â°ÀÃͤ·¤«½ÐÎϤǤ¤Ê¤¤¤è¤¦¤Ë¤¹¤ë¤«¡¢µö²Ä¤¹¤ë°ÀÃͤò¸ÂÄꤷ¤Æ¡¢³°ÉôÆþÎϤòľÀÜ°ÀÃͤˤÏÁȤ߹þ¤Þ¤º¤Ë°ÀÃͤòÁªÂò¤µ¤»¤ë¤¿¤á¤ÎÃͤȤ·¤Æ¤Î¤ßÍøÍѤ¹¤ë¤Î¤¬¤è¤¤¤Ç¤¹¡£
¤Ç¤â¡¢¤½¤â¤½¤â³°ÉôÆþÎÏÃͤò¤½¤Î¤Þ¤ÞHTML¥¿¥°¤Î°ÀÃͤȤ·¤ÆÁȤ߹þ¤ó¤Ç½ÐÎϤ¹¤ëÀß·×¼«ÂΤ¬NG¤Ç¤¹¡£HTML¤ò¥¿¥°¤Î°ÀÃͤòưŪ¤ËÁȤßΩ¤Æ¤Æ½ÐÎϤ·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¤Î¤Ç¤¢¤ì¤Ð¡¢¥«¥¹¥¿¥à¥¿¥°¤òÄêµÁ¤·¤Æ¡¢¤½¤Î¥«¥¹¥¿¥à¥¿¥°¤ò²ò¼á¤¹¤ëÆȼ«¥¸¥§¥Í¥ì¡¼¥¿¤òÄ̤·¤Æ½ÐÎϤµ¤»¤ë¤³¤È¤Çµö²Ä¤·¤¿¥¿¥°¡¦Â°ÀÃͤ·¤«½ÐÎϤǤ¤Ê¤¤¤è¤¦¤Ë¤¹¤ë¡£¤Þ¤¿¤Ï¡¢µö²Ä¤¹¤ë°ÀÃͤò¸ÂÄꤷ¤Æ¡¢³°ÉôÆþÎϤòľÀÜ°ÀÃͤˤÏÁȤ߹þ¤Þ¤º¤Ë°ÀÃͤòÁªÂò¤µ¤»¤ë¤¿¤á¤ÎÃͤȤ·¤Æ¤Î¤ßÍøÍѤ¹¤ë¤Î¤¬¤è¤¤¤Ç¤¹¡£
Á°¼Ô¤ÎÎã(Wiki¤È¤«)
ÆþÎÏÃÍ ¡§<p_red>¸«½Ð¤·</p_red><br>
¢ ¥¸¥§¥Í¥ì¡¼¥¿¤òÄ̤¹
½ÐÎÏÃÍ ¡§<p bgcolor="red">¸«½Ð¤·</p><br>
¤³¤Î¾ì¹ç¡¢¥¸¥§¥Í¥ì¡¼¥¿¤ËÄêµÁ¤·¤Æ¤¤¤Ê¤¤µË¡¤äHTML¥¿¥°¤Ï̵»ë¤µ¤ì¤ë¡£
(ÆþÎÏÃÍÆâ¤ÎHTML¤Ï¥¨¥¹¥±¡¼¥×¤·¤Æ¤ª¤«¤Ê¤¯¤Æ¤Ï¤¤¤±¤Þ¤»¤ó)
¸å¼Ô¤ÎÎã
ÆþÎÏÃÍ ¡§red ¢¨ ¥æ¡¼¥¶¤Ï¥é¥¸¥ª¥Ü¥¿¥ó¤ä¥»¥ì¥¯¥È¥Ü¥Ã¥¯¥¹¤Ê¤É
¤Î¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤ÇÁªÂò¤·¤ÆÆþÎÏ
¤¿¤À¤·¡¢¥æ¡¼¥¶¤Ï¥ê¥¯¥¨¥¹¥È¥Ñ¥é¥á¡¼¥¿¤ò¼«Í³¤Ë
²þÊѤµ¤»¤ë¤³¤È¤¬¤Ç¤¤ë¤³¤È¤ËÃí°Õ¡ª¡ª
¢ ¥¸¥§¥Í¥ì¡¼¥¿¤ØÆþÎÏ
¥¸¥§¥Í¥ì¡¼¥¿ ¡§Î㤨¤Ð¡¢perlÅù¤Ç¤Ï¥Ï¥Ã¥·¥å¤Ç²¼µ¤Î¤è¤¦¤ËÄêµÁ¤·¤Æ¤ª¤¡¢
$color = { 'red' => 'red',
'ble' => 'blue',
:
'grn' => 'green' };
ÆþÎÏÃͤËÂбþ¤¹¤ë¥¡¼¤ÎÃͤò¼èÆÀ¤·¤Æ½ÐÎϤ¹¤ë
<p bgcolor="$color->{'red'}">
¤â¤·¡¢¥æ¡¼¥¶¤¬$color¤ËÂбþ¤¹¤ë¥¡¼¤Î¤Ê¤¤ÆþÎϤò
Á÷¤Ã¤Æ¤¤¿¾ì¹ç¤Ï½èÍý¤ò¼è¤ê¤ä¤á¤Æ¥¨¥é¡¼¤ò½Ð¤·¤¿¤ê¤¹¤ë¡£
¥æ¡¼¥¶¤Ë¥·¥¹¥Æ¥à¤Î¾ÜºÙ¾ðÊó¤òϳ¤é¤·¤¿¤¯¤Ê¤¤¾ì¹ç¤Ï
¥È¥Ã¥×¥Ú¡¼¥¸¤Ë¥ê¥À¥¤¥ì¥¯¥È¤µ¤»¤Æ¤·¤Þ¤¦¤Ê¤É¤¬¤¤¤¤¤«¤â¡£
(Perl¤ÎÎã¡Ë
if ( exists $color->{$form{'color'}} ) {
print sprintf('<p bgcolor="%s">', $color->{$form{'color'}});
} else {
print "Location: ¥È¥Ã¥×¥Ú¡¼¥¸URL\r\n";
}
¤³¤¦¤·¤Æ¤ª¤±¤Ð¥Ö¥é¥¦¥¶°Í¸¤ÎÀȼåÀ¤ËǺ¤Þ¤µ¤ì¤ë¤³¤È¤Ï¤¢¤ê¤Þ¤»¤ó¡Ê¹©¿ô¤«¤«¤ê¤Þ¤¹¤±¤É¡¦¡¦¡¦ÆäËÁ°¼Ô¡Ë
#blikifooter(¿ÊÃÏ)
#comment