[WebKit-devel] [Bug 217464] Universal XSS and / or crash
Andrea Diamantini
adjam7 at gmail.com
Mon Dec 7 13:17:18 CET 2009
https://bugs.kde.org/show_bug.cgi?id=217464
--- Comment #5 from Andrea Diamantini <adjam7 gmail com> 2009-12-07 13:17:14 ---
(In reply to comment #0)
> Rekonq is affected by a universal XSS and / or crash. Opening a fresh instance
> of Rekonq and entering the following URL causes a crash:
>
> http://thisdomainwillnotresolveandrekonqerrorpagewillbeshownwithfullurlembedded.twitter.com/"><script>alert(document.cookie)</script>
>
> However, if you enter this into a new tab on an existing instance of Rekonq
> then it will first try and resolve the hostname and then when that fails it
> will display an error message. The error message output by Rekonq includes the
> full URL, including the <script> tags. Since Rekonq see that the requested URL
> is part of *.twitter.com and since twitter.com sets wildcard domain'd cookies,
> the error page will be able to access any cookies that have been set. Note
> that this is not unique to twitter.com, cookies can be stole for any site that
> sets wildcard domain'd cookies.
>
> There are therefore 3 issues:
>
> 1) Crash on fresh instance
> 2) Injection of malicious content into error message
> 3) Access to cookies when the hostname under which the cookies have been set
> was not accessible
First of all, thanks for pointing out the issue :)
I'm having here some different behaviour, anyway.
1) rekonq no more crashes (master, rekonq 0.3.19)
2) present
3) uhm... "quite present"
I'm following your suggestions to fix #2 and investigating about #3.
--
Configure bugmail: https://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the WebKit-devel
mailing list