[Webkit-unassigned] [Bug 130475] New: XSS Auditor doesn't block <script> injected before an existing <script>

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 19 14:20:26 PDT 2014


https://bugs.webkit.org/show_bug.cgi?id=130475

           Summary: XSS Auditor doesn't block <script> injected before an
                    existing <script>
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
               URL: http://demofaast.elevenpaths.com:9002/xssbypass/script
                    bypass.php?value=%3Cscript%3Ealert%28%22Bypass%20Messa
                    ge%22%29
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dbates at webkit.org
                CC: abarth at webkit.org, tsepez at chromium.org


Without loss of generality, consider a page with the following PHP markup:

<!DOCTYPE html>
<html>
<body>
<?php echo $_GET["q"] ?><script>function dummy() {}</script>
</body>
</html>

Take q := "<script>alert(/XSS/)". Then the page displays a JavaScript alert with message "/XSS/".

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list