Evil GIF's: Partial Same Origin Bypass with Hybrid Files(恶意GIF图片:通过混合文件绕过同源策略)

Ben Lorica Ben Lorica 2008/06/30

Many web sites allow users to upload different types of files, in particular GIF and other image files. During a recent webinar to promote the upcoming Black Hat briefings in Las Vegas, a group of hackers announced the creation of a hybrid file that can potentially bypass a browser's same origin policy. They created a GIF file that also happens to be a JAR file ( a "GIFAR" file). Once uploaded onto a web site, and assuming the web server runs a JVM, it allows one to run a malicious java applet on someone else's web server.

Details were not provided, since the hackers claim that Sun is still working on a patch. For more on hybrid (image) files as attack vectors, go to minute 41:23 of the webinar.

翻译:sniffer

很多网站都允许用户上传文件,尤其是GIF等图片文件。最近的一个Web会议上一群骇客宣布创造出一种混合文件,可以绕过浏览器的同源策略,该Web会议是为了推广即将到来的在拉斯维加斯的Black Hat briefings。他们的这种GIF文件也是一个JAR文件(是一个“GIFAR”),一旦上传到Web服务器上,而这个服务器又有JVM,就允许运行恶意的Java applet。

他们并没有提供细节,这些骇客说Sun正在准备相关的补丁。关于这个混合图片文件的更多信息可以参看该Web会议,大概从41分23秒开始。

,

Discussion

Enter your comment (wiki syntax is allowed):

Guide(Radar中文站向导)

Radar Team(Radar团队)

Tim O'Reilly
Allison Randal
Andrew Savikas
Andy Oram
Artur Bergman
Ben Lorica
Brady Forrest
Brett McLaughlin
Dale Dougherty
Jesse Robbins
Jim Stogdill
Joshua Ross
Marc Hedlund
Mike Hendrickson
Michael Loukides
Nat Torkington
Nikolaj Nyholm
Robert Passarella
Sara Winge

feedsky
google reader
鲜果
抓虾

Radar主题

blog/ben/partial-same-origin-bypass-wit.txt · 最后更改: 2008/09/08 由 radarman
O'Reilly Home | Privacy Policy ©2005-2008, O'Reilly Media, Inc.
All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners.