Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 4 Mar 2014 10:03:01 +0100
From: Hanno Böck <hanno@...eck.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: CVE request: konqueror not providing any protection against
 clickjacking

Hi,

It may be debatable if that's a CVE issue, because it's basically a
"there's a general vulnerability in the way HTML/JS is done, there's a
protection mechanism and product X doesn't have it". I think it
deserves one and as recently Konqueror issues popped up here I thought
it might deserve a CVE:
https://bugs.kde.org/show_bug.cgi?id=259070

Basically, pretty much all mainstream browsers support the
X-Frame-Options header to allow web developers to secure their apps
from clickjacking attacks. Konqueror doesn't support it.

Please assign CVE.

(and if curious: I've setup a test for X-FRAME-OPTIONS header
functionality a while ago http://int21.de/frametest/ )

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ