[Webkit-unassigned] [Bug 22199] Safari, like other browsers, actually parses and runs code in favicon.ico
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 13 14:51:39 PST 2008
https://bugs.webkit.org/show_bug.cgi?id=22199
scott at newgeo.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |UNCONFIRMED
Resolution|INVALID |
------- Comment #5 from scott at newgeo.com 2008-11-13 14:51 PDT -------
It is hard for me to say much at all, since I do not have access to the
exploited machine I noticed this on. I understand a request for favicon.ico
should redirect. I do not think that is what is happening.
I think if you look at it this way, what if a gif or jpg could have javascript
or an http redirect embedded in the binary file? As a browser rendered the
image file, it would then see the malicious code, and follow it's instructions.
I have a strong feeling that is what is happening with the favicon.ico file.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list