Bugtraq: Re: Cross-Site Scripting vulnerabilities in Mozilla, Internet Explorer, Opera and Chrome

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: Cross-Site Scripting vulnerabilities in Mozilla, Internet Explorer, Opera and Chrome

From: Liu Die Yu <liudieyu.com () gmail com>
Date: Sat, 4 Jul 2009 16:44:16 +0800

At first glance there it missed "vbscript:"?

On Sat, Jul 4, 2009 at 1:07 AM, Michal Zalewski<lcamtuf () coredump cx> wrote:

refresh: 0; URL=javascript:alert(document.cookie)
The code will work in context of this site.


...which happens to be covered here for half a year or so:
http://code.google.com/p/browsersec/wiki/Part2#Redirection_restrictions

I can't see how this could be a vulnerability per se, although
changing the behavior offers an additional, if small, degree of
protection in case of security lapses in web applications, so it's a
reasonable improvement.

Cheers,
/mz

By Date By Thread

Current thread:

Cross-Site Scripting vulnerabilities in Mozilla, Internet Explorer, Opera and Chrome MustLive (Jul 03)
- Re: Cross-Site Scripting vulnerabilities in Mozilla, Internet Explorer, Opera and Chrome Michal Zalewski (Jul 03)
  - Re: Cross-Site Scripting vulnerabilities in Mozilla, Internet Explorer, Opera and Chrome Liu Die Yu (Jul 06)