Perfidies / Plugindir is the client to Mozilla's plugin vulnerability database. I think a variant of this is used here on this site geared for end users.
Perfidies / Plugindir是Mozilla插件漏洞数据库的客户端。我认为在这个网站上有一个版本是针对终端用户的。
I would like to redirect any browser that is using an old version of Java, Silverlight, Flash, etc to a "quarantine" page asking them to upgrade their browser before they are permitted to log in.
我想将任何使用旧版本Java、Silverlight、Flash等的浏览器重定向到一个“隔离”页面,要求他们在允许登录之前升级浏览器。
-
What technical changes do I need to make to accomplish this?
为了实现这个目标,我需要做哪些技术上的改变?
-
What Perfidies specific javascript objects must I become aware of?
我必须意识到哪些特定的javascript对象是伪造的?
-
Are there any deployment concerns or modifications I should make?
我是否需要做一些部署方面的考虑或修改?
... ...
……
1 个解决方案
#1
1
You should provide some more context to your question. I will try to help you though suggesting a way to do this.
你应该为你的问题提供更多的背景。我会试着帮助你,尽管这是一种方法。
You mentioned you want to disallow users to login, so I think the best way to do this is putting the validation code in the login page as a javascript include. Keep in mind since the script is executed on the client, there is no guarantee that it will really execute and an expert user can circumvent your "protection" by e.g. disabling scripting. But if you are in an intranet and generally trust your users, it shouldn't be a big problem.
您提到您希望不允许用户登录,所以我认为最好的方法是将验证代码放在登录页面中作为javascript包含。请记住,由于脚本是在客户机上执行的,所以不能保证它会真正执行,而且专家用户可以通过禁用脚本的方式绕过您的“保护”。但是,如果您在内部网中,并且通常信任您的用户,那么这应该不是什么大问题。
To learn how to use Perfidies, I recommend you looking at the following file which you should be able to change to your needs (not tested!). https://github.com/ozten/Perfidies-of-the-Web/blob/master/plugincheck_ui.js
要学习如何使用伪证,我建议您查看以下文件,您应该能够根据自己的需要(没有测试!)https://github.com/ozten/Perfidies-of-the-Web/blob/master/plugincheck_ui.js
The main function to call seems to be Pfs.findPluginInfos(Pfs.UI.navInfo, browserPlugins, incrementalCallbackFn, finishedCallbackFn). In the incrementalCallbackFn you get all vulnerable plugins. If there exists one, you can redirect the browser to your page.
调用的主要函数似乎是Pfs.findPluginInfos(Pfs.UI)。navInfo、browserplugin incrementalCallbackFn finishedCallbackFn)。在incrementalCallbackFn中,你会得到所有易受攻击的插件。如果存在,您可以将浏览器重定向到您的页面。
See the referenced page to see how to fill the other function-parameters.
请参阅所引用的页面,了解如何填充其他函数参数。
Regarding deployment I would allow some way to skip this verification, because there are always cases in which you want to allow exceptional access. If your boss needs a report in 5 minutes you don't want to tell him that he has to update his java version first, just because there was an update yesterday which probably isn't even exploited yet.
关于部署,我将允许某种方式跳过此验证,因为在某些情况下,您总是希望允许异常访问。如果你的老板需要在5分钟内完成一份报告,你肯定不想告诉他,他必须先更新他的java版本,因为昨天有一个更新可能还没有被利用。
So maybe show a big red warning for users trying to access the page, but give them a way to ignore the warning if they choose to...
因此,可能会对试图访问页面的用户显示一个红色警告,但是如果他们选择…
#1
1
You should provide some more context to your question. I will try to help you though suggesting a way to do this.
你应该为你的问题提供更多的背景。我会试着帮助你,尽管这是一种方法。
You mentioned you want to disallow users to login, so I think the best way to do this is putting the validation code in the login page as a javascript include. Keep in mind since the script is executed on the client, there is no guarantee that it will really execute and an expert user can circumvent your "protection" by e.g. disabling scripting. But if you are in an intranet and generally trust your users, it shouldn't be a big problem.
您提到您希望不允许用户登录,所以我认为最好的方法是将验证代码放在登录页面中作为javascript包含。请记住,由于脚本是在客户机上执行的,所以不能保证它会真正执行,而且专家用户可以通过禁用脚本的方式绕过您的“保护”。但是,如果您在内部网中,并且通常信任您的用户,那么这应该不是什么大问题。
To learn how to use Perfidies, I recommend you looking at the following file which you should be able to change to your needs (not tested!). https://github.com/ozten/Perfidies-of-the-Web/blob/master/plugincheck_ui.js
要学习如何使用伪证,我建议您查看以下文件,您应该能够根据自己的需要(没有测试!)https://github.com/ozten/Perfidies-of-the-Web/blob/master/plugincheck_ui.js
The main function to call seems to be Pfs.findPluginInfos(Pfs.UI.navInfo, browserPlugins, incrementalCallbackFn, finishedCallbackFn). In the incrementalCallbackFn you get all vulnerable plugins. If there exists one, you can redirect the browser to your page.
调用的主要函数似乎是Pfs.findPluginInfos(Pfs.UI)。navInfo、browserplugin incrementalCallbackFn finishedCallbackFn)。在incrementalCallbackFn中,你会得到所有易受攻击的插件。如果存在,您可以将浏览器重定向到您的页面。
See the referenced page to see how to fill the other function-parameters.
请参阅所引用的页面,了解如何填充其他函数参数。
Regarding deployment I would allow some way to skip this verification, because there are always cases in which you want to allow exceptional access. If your boss needs a report in 5 minutes you don't want to tell him that he has to update his java version first, just because there was an update yesterday which probably isn't even exploited yet.
关于部署,我将允许某种方式跳过此验证,因为在某些情况下,您总是希望允许异常访问。如果你的老板需要在5分钟内完成一份报告,你肯定不想告诉他,他必须先更新他的java版本,因为昨天有一个更新可能还没有被利用。
So maybe show a big red warning for users trying to access the page, but give them a way to ignore the warning if they choose to...
因此,可能会对试图访问页面的用户显示一个红色警告,但是如果他们选择…