大砲開講
IE 和 FireFox 安全漏洞可以存取硬碟資料
展示頁面http://lcamtuf.coredump.cx/focusbug/
測試結果
firefox 2.0.0.1:成功顯示檔案,攻陷
ie6.0.2800:沒被攻陷(但似乎是因為該網頁顯示不全的關係?)
Firefox Cookie 安全漏洞 (Null 字元 “\x00″)
測試網頁http://lcamtuf.dione.cc/ffhostname.html
結果:攻陷
顯示:
You can confirm the presence of a test cookie by going to Tools -> Options -> Privacy -> Show cookies..., and locating an entry for coredump.cx domain. To protect yourself until patches are available, consider using a NoScript plugin. An interim workaround suggested by Firefox developers is to go to about:config, right-click to add a new string key: capability.policy.default.Location.hostname.set
...and then to set its value to 'noAccess'.
自己翻:
你可以在 工具\選項\隱私\顯示cookies 去找 coredump.cx相關項目,確認其存在
為保護你直到可獲得補釘,你可以裝NoScript
亦可使用about:config,新增capability.policy.default.Location.hostname.set,其值為noAccess
PS
改了有用,漏洞就不在了
但是about:config卻顯示不出來capability.policy.default.Location.hostname.set這機碼
怪哉
No comments:
Post a Comment