JavaScript's "Same Origin Policy" (XWT Foundation Security Advisory)
Vadim Plessky
lucy-ples at mtu-net.ru
Wed Jul 31 13:39:16 BST 2002
I am wondering wether Konqueror is vulnerable to this security flaw?
If not - I think we should announce that Konq is safe against this flaw.
// It seesm Mozilla project was notified about this flaw, and Konqueror's tem
- not. Not very fair!
***
XWT Foundation Security Advisory
Adam Megacz <adam at xwt.org>
http://www.xwt.org/sop.txt
29-Jul-2002 [Public Release]
______________________________________________________________________________
Abstract
The following exploit constitutes a security flaw in JavaScript's
"Same Origin Policy" (SOP) [1]. Please note that this is *not* the
IE-specific flaw reported in Februrary [2].
The exploit allows an attacker to use any JavaScript-enabled web
browser behind a firewall to retrive content from (HTTP GET) and
interact with (HTTP <form/> POST) any HTTP server behind the
firewall. If the client in use is Microsoft Internet Explorer 5.0+,
Mozilla, or Netscape 6.2+, the attacker can also make calls to SOAP or
XML-RPC web services deployed behind the firewall.
...
01-Jul Advisory updated; SOAP/XML-RPC also vulnerable if client is
Microsoft Internet Explorer.
Microsoft Notified: secure at microsoft.com
Apache Foundation Notified: security at apache.org
Mozilla Project Notified: security at mozilla.org
CERT Notified: cert at cert.org
--
Vadim Plessky
http://kde2.newmail.ru (English)
33 Window Decorations and 6 Widget Styles for KDE
http://kde2.newmail.ru/kde_themes.html
KDE mini-Themes
http://kde2.newmail.ru/themes/
More information about the kfm-devel
mailing list