Microsoft Internet Explorer 8 - 'toStaticHTML()' HTML Sanitization Bypass
CVE编号
CVE-2010-3324利用情况
暂无补丁情况
N/A披露时间
2010-09-18漏洞描述
The toStaticHTML function in Microsoft Internet Explorer 8, and the SafeHTML function in Microsoft Windows SharePoint Services 3.0 SP2, SharePoint Foundation 2010, Office SharePoint Server 2007 SP2, Groove Server 2010, and Office Web Apps, allows remote attackers to bypass the cross-site scripting (XSS) protection mechanism and conduct XSS attacks via a crafted use of the Cascading Style Sheets (CSS) @import rule, aka "HTML Sanitization Vulnerability," a different vulnerability than CVE-2010-1257.解决建议
用户可参考如下供应商提供的补丁信息:Microsoft SharePoint Server 2007 SP2Microsoft office2007-kb2345212-fullfile-x86-glb.exehttp://www.microsoft.com/downloads/details.aspx?familyid=aee3f2de-ccf3 -4d32-b468-eede4e8afcd4Microsoft SharePoint Services 3.0 SP2Microsoft wss-kb2345304-fullfile-x86-glb.exehttp://www.microsoft.com/downloads/details.aspx?familyid=12fd97a9-6fb8 -4b65-a497-a56587f114e1Microsoft SharePoint Services 64-bit 3.0 SP2Microsoft wss-kb2345304-fullfile-x64-glb.exehttp://www.microsoft.com/downloads/details.aspx?familyid=58d1e91d-a037 -485d-a6d9-80fbf403b108Microsoft Internet Explorer 8Microsoft IE8-WindowsServer2003.WindowsXP-KB2360131-x64-ENU.exehttp://www.microsoft.com/downloads/details.aspx?familyid=05413f6c-b4be -4892-b4b3-c54dd01fd95dMicrosoft Windows6.1-KB2360131-x64.msuhttp://www.microsoft.com/downloads/details.aspx?familyid=ffe364ee-e2ae -466c-b727-14b1a976a860Microsoft Windows6.1-KB2360131-x86.msuhttp://www.microsoft.com/downloads/details.aspx?familyid=6595770f-e580 -4613-a83a-3b8ee4cc30f1Microsoft IE8-Windows6.0-KB2360131-x86.msuhttp://www.microsoft.com/downloads/details.aspx?familyid=191c8388-f1ef -45b6-9f07-d5654a973abeMicrosoft IE8-Windows6.0-KB2360131-x64.msuhttp://www.microsoft.com/downloads/details.aspx?familyid=adeb3036-62fa -4a29-b82f-ff4a50c05996Microsoft Windows6.1-KB2360131-ia64.msuhttp://www.microsoft.com/downloads/details.aspx?familyid=bbaa9f46-8fc7 -4c44-b38c-dc3d5210f63dMicrosoft IE8-WindowsXP-KB2360131-x86-ENU.exehttp://www.microsoft.com/downloads/details.aspx?familyid=93580299-d764 -417f-a7fa-ee441fea2bb3Microsoft IE8-WindowsServer2003-KB2360131-x86-ENU.exehttp://www.microsoft.com/downloads/details.aspx?familyid=9af37f62-5585 -4ff5-9dd3-3fa0b148ae08Microsoft SharePoint Server 2007 x64 SP2Microsoft office2007-kb2345212-fullfile-x64-glb.exehttp://www.microsoft.com/downloads/details.aspx?familyid=e5e60751-242a -4fdb-9852-6d94050d3d0e受影响软件情况
# | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
1 | |||||||||
---|---|---|---|---|---|---|---|---|---|
运行在以下环境 | |||||||||
应用 | microsoft | groove_server | 2010 | - | |||||
运行在以下环境 | |||||||||
应用 | microsoft | ie | 8 | - | |||||
运行在以下环境 | |||||||||
应用 | microsoft | sharepoint_foundation | 2010 | - | |||||
运行在以下环境 | |||||||||
应用 | microsoft | sharepoint_server | 2007 | - | |||||
运行在以下环境 | |||||||||
应用 | microsoft | sharepoint_services | 3.0 | - | |||||
运行在以下环境 | |||||||||
应用 | microsoft | web_apps | * | - |
- 攻击路径 网络
- 攻击复杂度 N/A
- 权限要求 无
- 影响范围 N/A
- 用户交互 需要
- 可用性 无
- 保密性 无
- 完整性 部分地
CWE-ID | 漏洞类型 |
CWE-79 | 在Web页面生成时对输入的转义处理不恰当(跨站脚本) |
Exp相关链接
- avd.aliyun.com
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论