The WIse SECurity
[ Back ]
Thursday, November 01, 2007, 23:29
HTTP Response Splitting and Data: URI scheme in Firefox
After having read Pdp's point of view about data: uri scheme on Firefox, here's another reason why Mozillla developers should stop propagating data uri to the initiating parent site.
In case this script also suffers from a Http Response Splitting, an attacker could easily inject Refresh: with data: uri.
Firefox will happily execute it in the context of the redirector.
No comments yet.
Comments are disabled
Wisec is brought to you by...
Wisec is written and mantained by Stefano Di Paola.
Wisec uses open standards, including XHTML, CSS2, and XML-RPC.
All Rights Reserved 2004
All hosted messages and metadata are owned by their respective authors.