[Webkit-unassigned] [Bug 12774] New: S60 browser doesn't properly parse HTML comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Feb 14 13:18:34 PST 2007 

http://bugs.webkit.org/show_bug.cgi?id=12774

           Summary: S60 browser doesn't properly parse HTML comments, which
                    allows remote attackers to conduct cross-site scripting
                    (XSS) attacks
           Product: WebKit
           Version: 420+ (nightly)
          Platform: PC
               URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0478
        OS/Version: Mac OS X 10.4
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: krishnamurty.podipireddy at nokia.com


2.2.2007 Ilhan Gurel: This originally comes from the following reported
vulnerability:

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0478

The link also has information about the proof of concept data.

Description of the original problem: Apple Safari does not properly parse HTML
comments, which allows remote attackers to conduct cross-site scripting (XSS)
attacks and bypass some XSS protection schemes by embedding certain HTML tags
within an HTML comment.

It has been acklowledged that  this is also valid issue for S60 browser as it
uses same code.


-- 
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list