Closed Bug 301275 Opened 14 years ago Closed 14 years ago

Cross site scripting vulnerability from secure to non-secure

Categories

(SeaMonkey :: General, defect, major)

1.7 Branch
x86
Windows 98
defect
Not set
major

Tracking

(Not tracked)

RESOLVED DUPLICATE of bug 135007

People

(Reporter: bht237, Unassigned)

Details

Attachments

(1 file)

Mozilla 1.7.8
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511

A simple script allows to send data from a secure page to another spying server.
The user is not alerted and the secure lock icon is shown.

Please refer to the attached testcase.

This vulnerability has not been made public and I do not intend to publish it.
Not showing the mixed state for these images is a bug, but the testcase as
designed shows maliciousness or a server doing stupid things. If either is the
case fixing the non-SSL image detection bug isn't going to help you, the server
could be malicious or stupid out the back end where the browser can't detect it.

*** This bug has been marked as a duplicate of 135007 ***
Group: security
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.