Bug#516555: CVE-2008-6059: missing access restriction
Steffen Joeris
steffen.joeris at skolelinux.de
Sun Feb 22 10:14:27 UTC 2009
Package: webkit
Severity: important
Tags: security
Hi Mike,
the following CVE (Common Vulnerabilities & Exposures) id was
published for webkit.
CVE-2008-6059[0]:
| xml/XMLHttpRequest.cpp in WebCore in WebKit before r38566 does not
| properly restrict access from web pages to the (1) Set-Cookie and (2)
| Set-Cookie2 HTTP response headers, which allows remote attackers to
| obtain sensitive information from cookies via XMLHttpRequest calls,
| related to the HTTPOnly protection mechanism.
I am not quite sure that I understood the issue correctly, so I used
important as the severity. Maybe you could investigate the severity and
state your opinion?
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6059
http://security-tracker.debian.net/tracker/CVE-2008-6059
More information about the Pkg-webkit-maintainers
mailing list