[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] KDE 3.2.2 (sarge) Konqueror suffers XSS vuln.
- To: submit@xxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] KDE 3.2.2 (sarge) Konqueror suffers XSS vuln.
- From: "Yanosz" <yanosz@xxxxxxx>
- Date: Wed, 27 Oct 2004 15:45:21 +0200
Package: Konqueror
Version: 3.2.2-1 (sarge)
Severity: Important
In contrast to other browsers like firefox, Konqueror allows JavaScript to
access other frames in a frameset, loaded with from different (sub)domain. By
that enclosed / secret data can be read through a hidden frameset.
See http://groenndemon.de/bla for demonstration.
(I'd like also to thank the webmaster for motivating me to explore that issue
and setting a wegpage up for demonstration)
(Translation: Action Ändern -> Change action
Passwort klauen -> steel password
Abschicken -> submit)
Please verify this issue on other versions - 3.1.4 seems to be affected as
well.
Keep smiling
yanosz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html