Bug#516555: CVE-2008-6059: missing access restriction

Steffen Joeris steffen.joeris at skolelinux.de
Sun Feb 22 10:14:27 UTC 2009

Package: webkit
Severity: important
Tags: security

Hi Mike,
the following CVE (Common Vulnerabilities & Exposures) id was
published for webkit.

| xml/XMLHttpRequest.cpp in WebCore in WebKit before r38566 does not
| properly restrict access from web pages to the (1) Set-Cookie and (2)
| Set-Cookie2 HTTP response headers, which allows remote attackers to
| obtain sensitive information from cookies via XMLHttpRequest calls,
| related to the HTTPOnly protection mechanism.

I am not quite sure that I understood the issue correctly, so I used
important as the severity. Maybe you could investigate the severity and
state your opinion?

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.


For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6059

More information about the Pkg-webkit-maintainers mailing list