[Webkit-unassigned] [Bug 7135] window.history object persists data across pages
bugzilla-daemon at opendarwin.org
bugzilla-daemon at opendarwin.org
Tue Feb 7 14:16:47 PST 2006
http://bugzilla.opendarwin.org/show_bug.cgi?id=7135
------- Comment #3 from ddkilzer at kilzer.net 2006-02-07 14:16 PDT -------
(In reply to comment #2)
> I can verify that Safari does persist the data, whereas FF doesn't. It's not
> immediately clear to me why this is a vulnerability. A malicious site can only
> read the data if another site has explicitly made it available.
NOTE: I have NOT tested any of these theories (since I'm not in front of my
PowerBook G4 at the moment).
1. Can some sort of denial of service attack may be launched to consume memory?
<script>
for (i = window.history.length; 1 == 1; i++) {
window.history[i] = "...a really, really long string...";
}
</script>
2. Can the index for window.history[] be overflowed if it's willing to accept
any index value?
<script>
window.history[2147483647] = "INT_MAX";
window.history[2147483647+1] = "INT_MAX+1";
</script>
3. Can a "future" history item be added to window.history[] and then
window.history.forward() or javascript:goForward() be used to run it?
<script>
window.history[window.history.length] = "javascript:alert('Hello world!');";
window.history.forward();
</script>
4. The window.history[] array provides a cross-site scripting (XSS) attacker a
large storage space for keeping cookie values or usernames/passwords. If the
attacker can plant XSS code to store sensitive data (such as session cookies)
in the history array, they can store a lot of information that could be sent if
they are able to trick the user into visiting a "harvesting" site later.
http://www.cert.org/advisories/CA-2000-02.html
I do remember the original brouhaha about the window.history issue in MSIE and
that many people felt it was overblown, but Microsoft definitely got dinged for
it at the time. I can't find any good web pages that talk about it, though.
--
Configure bugmail: http://bugzilla.opendarwin.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list