Closed Bug 301275 Opened 19 years ago Closed 19 years ago

Cross site scripting vulnerability from secure to non-secure

Categories

(SeaMonkey :: General, defect)

Product:
SeaMonkey
Component:
General
Version:
1.7 Branch
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 135007

People

(Reporter: bht237, Unassigned)

Details

Attachments

(1 file)

Testcase with instructions in HTML comments.
3.43 KB, text/html
Details 
Mozilla 1.7.8
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511

A simple script allows to send data from a secure page to another spying server.
The user is not alerted and the secure lock icon is shown.

Please refer to the attached testcase.

This vulnerability has not been made public and I do not intend to publish it.

    
    

    
  
Not showing the mixed state for these images is a bug, but the testcase as
designed shows maliciousness or a server doing stupid things. If either is the
case fixing the non-SSL image detection bug isn't going to help you, the server
could be malicious or stupid out the back end where the browser can't detect it.

*** This bug has been marked as a duplicate of 135007 ***
Group: security
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: