Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180627125532.21ce2e53@computer>
Date: Wed, 27 Jun 2018 12:55:32 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: squirrelmail XSS issues in bug tracker since
 2016

On Wed, 27 Jun 2018 12:26:09 +0200
Hanno Böck <hanno@...eck.de> wrote:

> PoC2: This is "XSS-via-data-uri", a data URI runs in its own origin,
> thus I don't see how this is a security risk. It's not really an XSS.

Have to correct myself: As Mario Heiderich has pointed out to me [1]
this actually depends on the browser. While most modern browsers run
data URIs in their own origin, this is not the case in Firefox 52 ESR
and in the Tor Browser (which is based on Firefox 52 ESR).


[1] https://twitter.com/0x6D6172696F/status/1011916899867922432

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.