[Webkit-unassigned] [Bug 7135] New: window.history object
bugzilla-daemon at opendarwin.org
bugzilla-daemon at opendarwin.org
Tue Feb 7 09:59:23 PST 2006
http://bugzilla.opendarwin.org/show_bug.cgi?id=7135
Summary: window.history object
Product: WebKit
Version: 417.x
Platform: Macintosh
OS/Version: Mac OS X 10.4
Status: UNCONFIRMED
Severity: trivial
Priority: P2
Component: JavaScript
AssignedTo: webkit-unassigned at opendarwin.org
ReportedBy: gazhay at gmail.com
This used to trouble me with IE and Mozilla.
The window.history object is protected from reading for obvious reasons,
however, try this :-
1. On a page call any of the following (or all)
window.history[58769]="This is a history hijack attempt";
window.history[window.history.length]="this is another hijack";
window.history[0]="This is history 1";
2. On another page attempt to read window.history[58769], [0], or [length-1]
The result - data transfered across pages. (This also used to be considered a
security problem, so much so that MS went to great lengths to stop you doing
such things without cookies)
A trivial 'problem' - but one that a malicious page writer could exploit to
gain information. (I won't elaborate on the details)
Just interested in your thoughts on whether or not this is a bug.
--
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list