Re: Universal XSS in Rekonq

[Josh Bressers <bressers () redhat com>]

Please use CVE-2010-2536

Thanks.

-- 
    JB

----- "Tim Brown" <timb () nth-dimension org uk> wrote:

> Hi guys,
>
> Can a CVE be assigned for the universal XSS in Rekonq 
> (https://bugs.kde.org/show_bug.cgi?id=217464).  Essentially, the error
> page 
> displayed when a requested URL is not available includes said URL.  If
> said 
> URL includes HTML fragments these will be rendered in the context of
> the 
> requested URL.  If you request something like 
> http://wontresolve.twitter.com/";><script>alert(document.cookies)</script>
> then 
> you may very well snare your Twitter cookies.
>
> Originally when I reported this bug to the Rekonq developers, it was a
> very 
> small project without much following, however Rekonq is starting to
> make its 
> way into multiple distros so I thought it was probably time to flag it
> up.
>
> Quick history:
> 05/12/09 Reported by me against Rekonq 0.4
> 05/12/09 Added note that it also appears to affect Qt's demo browser
> 05/12/09 KDE patch kwebkitpart
> 07/12/09 Confirmed by Rekonq developers
> 13/04/10 Reported resolved by developers
> 14/07/10 Retested on 0.5 and found still to be vulnerable
>
> Cheers,
> Tim
> -- 
> Tim Brown
> <mailto:timb () nth-dimension org uk>
> <http://www.nth-dimension.org.uk/>