Date: Wed, 27 Jun 2018 12:55:32 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: squirrelmail XSS issues in bug tracker since 2016 On Wed, 27 Jun 2018 12:26:09 +0200 Hanno Böck <hanno@...eck.de> wrote: > PoC2: This is "XSS-via-data-uri", a data URI runs in its own origin, > thus I don't see how this is a security risk. It's not really an XSS. Have to correct myself: As Mario Heiderich has pointed out to me  this actually depends on the browser. While most modern browsers run data URIs in their own origin, this is not the case in Firefox 52 ESR and in the Tor Browser (which is based on Firefox 52 ESR).  https://twitter.com/0x6D6172696F/status/1011916899867922432 -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ