greasemonkey
The maker of Greasemonkey, a popular extension for power users of the Firefox browser, has posted a warning of a serious security vulnerability in the current release. This vulnerability can potentially give access to any and all files stored on a system running the Greasemonkey extension in Firefox.
Greasemonkey的制造商,它是Firefox浏览器高级用户的流行扩展,已经在当前版本中发布了严重的安全漏洞警告 。 此漏洞可能会导致访问在Firefox中运行Greasemonkey扩展的系统上存储的所有文件。
The Greasemonkey extension provides the facility to install and run scripts either associated with particular sites, or with all sites on the Internet. These scripts use standard JavaScript features and syntax, but the extension also provides a set of extended functions that are available to user scripts. These functions are the source of the security hole.
Greasemonkey扩展提供了安装和运行与特定站点或Internet上所有站点关联的脚本的功能。 这些脚本使用标准JavaScript功能和语法,但是扩展名还提供了一组可用于用户脚本的扩展功能。 这些功能是安全漏洞的根源。
Once a user script is associated with a site, those extended functions become available not just to the user script, but also to any script code within the site itself. A malicious site could wait until a user came along with a Greasemonkey script enabled for that site and then use the extended functions to access private files and data stored on the user’s system. Since many Greasemonkey scripts are designed to enhance all sites on the Web (and are therefore enabled for all sites), this is a very serious problem.
一旦用户脚本与站点相关联,这些扩展功能就不仅对用户脚本可用,而且对站点本身内的任何脚本代码都可用。 恶意站点可能会等到用户出现该站点启用的Greasemonkey脚本后,再使用扩展功能来访问存储在用户系统上的私有文件和数据。 由于许多Greasemonkey脚本旨在增强Web上的所有站点(因此对所有站点都启用了),所以这是一个非常严重的问题。
The extended function that is the biggest worry is the GM_xmlhttpRequest function, which enables user scripts (and due to this security hole, a malicious site) to make GET and POST requests for any URL, even outside the domain of the current site. By using it to request a file:// URL, a malicious site can read the contents of any file on the system, or even obtain a local directory listing. The script can then make a POST request to send that information to any URL.
最令人担心的扩展功能是GM_xmlhttpRequest函数,该函数使用户脚本(由于这个安全漏洞,是一个恶意站点)甚至可以对任何URL进行GET和POST请求,甚至在当前站点的域之外。 通过使用它请求file:// URL,恶意站点可以读取系统上任何文件的内容,甚至可以获得本地目录列表。 然后,脚本可以发出POST请求,以将该信息发送到任何URL。
While the developer searches for a good solution to these security issues, he has made available a new version of the extension, Greasemonkey 0.3.5, which removes support for all of the extended functions, including GM_xmlhttpRequest. Any script that relies on this feature will fail to work with this “neutered” version, but simple scripts that just tweak existing site layout/functionality should work fine.
在开发人员寻求这些安全问题的好的解决方案的同时,他提供了扩展的新版本Greasemonkey 0.3.5 ,该版本删除了对所有扩展功能(包括GM_xmlhttpRequest)的支持。 任何依赖于此功能的脚本都无法在此“替代版本”下使用,但是仅需调整现有站点布局/功能的简单脚本即可正常工作。
翻译自: https://www.sitepoint.com/serious-security-vulnerability-in-greasemonkey/
greasemonkey
相关资源:jdk-8u281-windows-x64.exe