- ¥Ð¥Ã¥¯¥¢¥Ã¥×°ìÍ÷
- ¥½¡¼¥¹ ¤òɽ¼¨
- IE¤Ë¤ª¤±¤ëexpression¤Ë¤è¤ëXSSÀȼåÀ ¤Ïºï½ü¤µ¤ì¤Æ¤¤¤Þ¤¹¡£
- 1 (2006-09-05 (²Ð) 20:17:27)
- 2 (2006-09-05 (²Ð) 20:27:40)
IE ¤Ë¤ª¤±¤ë "expression" ¤Î²á¾ê¸¡½Ð¤Ë¤è¤ë XSS ¤Î Ͷ°ø
¤¬³Æ½ê¤Ç¸ÀµÚ¤µ¤ì¤Æ¤¤¤Þ¤¹¡£
http://cl.pocari.org/2006-08-31-1.html
http://d.hatena.ne.jp/hasegawayosuke/20060831/p4
°Ê²¼¡¢°úÍÑ¡£
IE ¤Ç¤Ï¡¢°Ê²¼¤Î¤è¤¦¤Ê¥¹¥¿¥¤¥ë¤òµ½Ò¤¹¤ë¤³¤È¤Ç¡¢JavaScript ¤òÆ°ºî¤µ¤»¤ë ¤³¤È¤¬²Äǽ¤Ç¤¹¡£ 1) <style>¥Ö¥í¥Ã¥¯Æâ¤Ç¤ÎÄêµÁ <style>input { left:expression( alert('xss') ) } </style> 2) ¥¤¥ó¥é¥¤¥ó¤Ç¤Î¥¹¥¿¥¤¥ëÄêµÁ <div style="{ left:expression( alert('xss') ) }"> 3) ¥³¥á¥ó¥È¤ÎÁÞÆþ <div style="{ left:exp/* */ression( alert('xss') ) }"> 4) ¥Ð¥Ã¥¯¥¹¥é¥Ã¥·¥å¤Ç¤Î¥³¡¼¥É¥Ý¥¤¥ó¥È»ØÄê <div style="{ left:\0065\0078pression( alert('xss') ) }"> 5) ¼ÂÂλ²¾È ¥¤¥ó¥é¥¤¥ó¤Ç¤Î¥¹¥¿¥¤¥ëÄêµÁ¤Ç¤Ï¡¢¼ÂÂλ²¾È¤¬ÍøÍѲÄǽ¤Ç¤¹¡£ <div style="{ left:expression( alert('xss') ) }"> 6) Á´³Ñʸ»ú <div style="{ left:£å£ø£ð£ò£å£ó£ó£é£ï£î( alert('xss') ) }"> 7) ÆÃÄê¤ÎUnicodeʸ»ú <div style="{ left:exp£Òessio£Î( alert('xss') ) }"> £Ò ¤Ï U+0280¡¢£Î ¤Ï U+0274 ¤Þ¤¿¤Ï U+207F ¤¬ÍøÍѲÄǽ¤Ç¤¹¡£
¾åµ 1) , 7) ¤ÏÁê¸ß¤ËÁȤ߹ç¤ï¤»¤Æɽµ¤¹¤ë¤³¤È¤â²Äǽ¤Ç¤¹¡£ ¤Þ¤¿¡¢6) ¤ª¤è¤Ó 7) ¤Ï¡¢IE7 RC1 ¤Ç¤ÏÆ°ºî¤·¤Þ¤»¤ó¡£
Á´³Ñʸ»ú¤ä¥³¥á¥ó¥ÈÁÞÆþ»þ¤âExecute¤µ¤ì¤Æ¤·¤Þ¤¦¤Î¤ÇÍ×Ãí°Õ¤Ç¤¹¤Í¡£
¤Ç¤â¡¢¤½¤â¤½¤â³°ÉôÆþÎÏÃͤò¤½¤Î¤Þ¤ÞHTML¥¿¥°¤Î°ÀÃͤȤ·¤ÆÁȤ߹þ¤ó¤Ç½ÐÎϤ¹¤ëÀß·×¼«ÂΤ¬NG¤Ç¤¹¡£HTML¤ò¥¿¥°¤Î°ÀÃͤòưŪ¤ËÁȤßΩ¤Æ¤Æ½ÐÎϤ·¤Ê¤±¤ì¤Ð¤Ê¤é¤Ê¤¤¤Î¤Ç¤¢¤ì¤Ð¡¢HTML¥«¥¹¥¿¥à¥¿¥°¤òÄêµÁ¤·¤Æ¡¢¤½¤Î¥«¥¹¥¿¥à¥¿¥°¤òÆȼ«¤Ë²ò¼á¤¹¤ë¥¸¥§¥Í¥ì¡¼¥¿¤òÄ̤·¤Æµö²Ä¤·¤¿¥¿¥°¡¦Â°ÀÃͤ·¤«½ÐÎϤǤ¤Ê¤¤¤è¤¦¤Ë¤¹¤ë¤«¡¢µö²Ä¤¹¤ë°ÀÃͤò¸ÂÄꤷ¤Æ¡¢³°ÉôÆþÎϤòľÀÜ°ÀÃͤˤÏÁȤ߹þ¤Þ¤º¤Ë°ÀÃͤòÁªÂò¤µ¤»¤ë¤¿¤á¤ÎÃͤȤ·¤Æ¤Î¤ßÍøÍѤ¹¤ë¤Î¤¬¤è¤¤¤Ç¤¹¡£
Á°¼Ô¤ÎÎã(Wiki¤È¤«)
ÆþÎÏÃÍ ¡§<p_red>¸«½Ð¤·</p_red><br> ¢ ¥¸¥§¥Í¥ì¡¼¥¿¤òÄ̤¹ ½ÐÎÏÃÍ ¡§<p bgcolor="red">¸«½Ð¤·</p><br> ¤³¤Î¾ì¹ç¡¢¥¸¥§¥Í¥ì¡¼¥¿¤ËÄêµÁ¤·¤Æ¤¤¤Ê¤¤µË¡¤äHTML¥¿¥°¤Ï̵»ë¤µ¤ì¤ë¡£ (ÆþÎÏÃÍÆâ¤ÎHTML¤Ï¥¨¥¹¥±¡¼¥×¤·¤Æ¤ª¤«¤Ê¤¯¤Æ¤Ï¤¤¤±¤Þ¤»¤ó)
¸å¼Ô¤ÎÎã
ÆþÎÏÃÍ ¡§red ¢¨ ¥æ¡¼¥¶¤Ï¥é¥¸¥ª¥Ü¥¿¥ó¤ä¥»¥ì¥¯¥È¥Ü¥Ã¥¯¥¹¤Ê¤É ¤Î¥¤¥ó¥¿¥Õ¥§¡¼¥¹¤ÇÁªÂò¤·¤ÆÆþÎÏ ¤¿¤À¤·¡¢¥æ¡¼¥¶¤Ï¥ê¥¯¥¨¥¹¥È¥Ñ¥é¥á¡¼¥¿¤ò¼«Í³¤Ë ²þÊѤµ¤»¤ë¤³¤È¤¬¤Ç¤¤ë¤³¤È¤ËÃí°Õ¡ª¡ª ¢ ¥¸¥§¥Í¥ì¡¼¥¿¤ØÆþÎÏ ¥¸¥§¥Í¥ì¡¼¥¿ ¡§Î㤨¤Ð¡¢perlÅù¤Ç¤Ï¥Ï¥Ã¥·¥å¤Ç²¼µ¤Î¤è¤¦¤ËÄêµÁ¤·¤Æ¤ª¤¡¢ $color = { 'red' => 'red', 'ble' => 'blue', : 'grn' => 'green' }; ÆþÎÏÃͤËÂбþ¤¹¤ë¥¡¼¤ÎÃͤò¼èÆÀ¤·¤Æ½ÐÎϤ¹¤ë <p bgcolor="$color->{'red'}"> ¤â¤·¡¢¥æ¡¼¥¶¤¬$color¤ËÂбþ¤¹¤ë¥¡¼¤Î¤Ê¤¤ÆþÎϤò Á÷¤Ã¤Æ¤¤¿¾ì¹ç¤Ï½èÍý¤ò¼è¤ê¤ä¤á¤Æ¥¨¥é¡¼¤ò½Ð¤·¤¿¤ê¤¹¤ë¡£ ¥æ¡¼¥¶¤Ë¥·¥¹¥Æ¥à¤Î¾ÜºÙ¾ðÊó¤òϳ¤é¤·¤¿¤¯¤Ê¤¤¾ì¹ç¤Ï ¥È¥Ã¥×¥Ú¡¼¥¸¤Ë¥ê¥À¥¤¥ì¥¯¥È¤µ¤»¤Æ¤·¤Þ¤¦¤Ê¤É¤¬¤¤¤¤¤«¤â¡£
(Perl¤ÎÎã¡Ë
if ( exists $color->{$form{'color'}} ) { print sprintf('<p bgcolor="%s">', $color->{$form{'color'}}); } else { print "Location: ¥È¥Ã¥×¥Ú¡¼¥¸URL\r\n"; }