Bug 484197 - (CVE-2008-6059) CVE-2008-6059 WebKit: Sensitive information disclosure from cookies via XMLHttpRequest calls
CVE-2008-6059 WebKit: Sensitive information disclosure from cookies via XMLH...
Status: CLOSED UPSTREAM
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://trac.webkit.org/changeset/3856...
public=20081118,reported=20090204,imp...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-05 06:18 EST by Jan Lieskovsky
Modified: 2017-07-21 11:31 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-23 17:56:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2009-02-05 06:18:57 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-6059 to
the following vulnerability:

xml/XMLHttpRequest.cpp in WebCore in WebKit before r38566 does not
properly restrict access from web pages to the (1) Set-Cookie and (2)
Set-Cookie2 HTTP response headers, which allows remote attackers to
obtain sensitive information from cookies via XMLHttpRequest calls,
related to the HTTPOnly protection mechanism.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6059
http://trac.webkit.org/changeset/38566/trunk/WebCore/xml/XMLHttpRequest.cpp
https://bugs.webkit.org/show_bug.cgi?id=10957
Comment 1 Jan Lieskovsky 2009-02-05 06:20:30 EST
This issue affects the versions of the WebKit package, as shipped
with Fedora releases of 9 and 10.

Please fix.

This issue does NOT affect the version of the WebKit package, as shipped
with Fedora release of devel.
Comment 2 Vincent Danen 2010-12-23 17:56:51 EST
This is fixed in the latest webkit packages we provide in Fedora and RHEL6.

Note You need to log in before you can comment on or make changes to this bug.