Your message dated Sat, 16 Feb 2013 17:48:17 -0500 with message-id <CANTw=MNK4y1m12Pj-zituH=ixpuakajgu5qsjedxdj9hchp...@mail.gmail.com> and subject line re: CSS visited elements allow for disclosure of users browser history has caused the Debian Bug report #579136, regarding CSS visited elements allow for disclosure of users browser history to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 579136: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579136 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: midori Version: 0.2.2-1 Severity: normal There is a "Disclosure of user information" security flaw in the midori browser due to the implementation of support for CSS :visited pseudoclass elements. It is possible to specify a background-url attribute which will make a request to the server if a particular link has been visited. Using this CSS mechanism, it is possible for a hosting server to determine visited links without using Javascript. For example: <style> a#link1:visited { background-image: url(/log?link1_was_visited); } a#link2:visited { background-image: url(/log?link2_was_visited); } </style> <a href="http://google.com"; id="link1"> <a href="http://yahoo.com"; id="link2"> If link1 (http://google.com) has been visited, the browser will make a request back to the server to retrieve the background for the #link1 rule. By appending a different URL argument to each rule we can determine which of the links were visited. Please note that this requires no client-side scripting whatsoever, and only relies on the availability of CSS. The following website demonstrates a working exploit of this vulnerability: http://www.whattheinternetknowsaboutyou.com/ Mark. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (60, 'testing'), (50, 'unstable') Architecture: i386 (i386) Kernel: Linux 2.6.26-2-486 Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/dash Versions of packages midori depends on: ii dbus-x11 1.2.16-2 simple interprocess messaging syst ii libatk1.0-0 1.30.0-1 The ATK accessibility toolkit ii libc6 2.10.2-2 GNU C Library: Shared libraries ii libcairo2 1.8.8-2 The Cairo 2D vector graphics libra ii libdbus-1-3 1.2.16-2 simple interprocess messaging syst ii libdbus-glib-1-2 0.82-2 simple interprocess messaging syst ii libfontconfig1 2.8.0-2 generic font configuration library ii libfreetype6 2.3.11-1 FreeType 2 font engine, shared lib ii libglib2.0-0 2.24.0-1 The GLib library of C routines ii libgtk2.0-0 2.18.3-1 The GTK+ graphical user interface ii libjs-mootools 1.2.4-1 compact JavaScript framework ii libnotify1 [libnotify1-gtk2 0.4.5-1 sends desktop notifications to a n ii libpango1.0-0 1.26.1-1 Layout and rendering of internatio ii libsoup2.4-1 2.28.2-1 an HTTP library implementation in ii libsqlite3-0 3.6.23.1-1 SQLite 3 shared library ii libunique-1.0-0 1.1.6-1 Library for writing single instanc ii libwebkit-1.0-2 1.1.17-2 Web content engine library for Gtk ii libx11-6 2:1.2.2-1 X11 client-side library ii libxml2 2.7.6.dfsg-1 GNOME XML library Versions of packages midori recommends: ii gnome-icon-theme 2.28.0-1 GNOME Desktop icon theme midori suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---This isn't exactly ideal, but the site demonstrating the problem is gone from the internet.
--- End Message ---
