Closed Bug 301275 Opened 19 years ago Closed 19 years ago

Cross site scripting vulnerability from secure to non-secure

Categories

(SeaMonkey :: General, defect)

Product:
SeaMonkey
Component:
General
Version:
1.7 Branch
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 135007

People

(Reporter: bht237, Unassigned)

Details

Attachments

(1 file)

Testcase with instructions in HTML comments.
3.43 KB, text/html
Details
Mozilla 1.7.8 Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511 A simple script allows to send data from a secure page to another spying server. The user is not alerted and the secure lock icon is shown. Please refer to the attached testcase. This vulnerability has not been made public and I do not intend to publish it.
Not showing the mixed state for these images is a bug, but the testcase as designed shows maliciousness or a server doing stupid things. If either is the case fixing the non-SSL image detection bug isn't going to help you, the server could be malicious or stupid out the back end where the browser can't detect it. *** This bug has been marked as a duplicate of 135007 ***
Group: security
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: