[WebKit-devel] [Bug 217464] Universal XSS and / or crash
Tim Brown
kde at machine.org.uk
Wed Jul 14 18:02:48 CEST 2010
https://bugs.kde.org/show_bug.cgi?id=217464
Tim Brown <kde at machine.org.uk> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|WORKSFORME |
--- Comment #11 from Tim Brown <kde machine org uk> 2010-07-14 18:02:45 ---
Still a problem even on 0.5. Enter:
http://wwwmail.google.com/"><script>document.body.innerHTML='<h1>Welcome to
Google.com</h1>Username: <input type="username" name="text">Password: <input
type="password" name="password"><input type="submit" value="Submit">'</script>
into your URL bar and hit enter. The full URL submitted is used as part of the
error page for the "Try again" button. The good news is that this time, I
don't appear to have access to the cookies for the domain this time but as you
can see it's still possible to spoof up legitimate loooking URLs.
--
Configure bugmail: https://bugs.kde.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the WebKit-devel
mailing list