[Webkit-unassigned] [Bug 29278] XSSAuditor bypasses from sla.ckers.org
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 15 15:06:12 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=29278
--- Comment #1 from Daniel Bates <dbates at webkit.org> 2009-09-15 15:06:11 PDT ---
The second attack is blocked with r46250 with proposed patch 1 of bug #27895
(*).
(*)This is my working copy on one of my machines. I will look into doing a
clean checkout to confirm.
(In reply to comment #0)
> The good folks at sla.ckers.org are pouring over the XSSAuditor in this thread:
>
> http://sla.ckers.org/forum/read.php?13,31377
>
> So far, they've found two bypasses:
>
> http://eaea.sirdarckcat.net/xss.php?html_xss=<iframe+src="javascript:'1%25251';alert(document.domain)">
> http://eaea.sirdarckcat.net/xss.php?html_xss=<img%20src=ä%20onerror=alert('ä')>
>
> The first one is a nice double-encoding issue. I think we're only decoding
> once. I don't quite understand the second one yet. Something tricky with
> unicode.
>
> Feel free to create spin-off bugs for fixing each issue. I just wanted a
> central place to write them down for now.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list