Package: midori
Version: 0.2.2-1
Severity: normal

There is a "Disclosure of user information" security flaw in the midori 
browser due to the implementation of support for CSS :visited pseudoclass 
elements. It is possible to specify a background-url attribute which will make
a request to the server if a particular link has been visited. Using this CSS
mechanism, it is possible for a hosting server to determine visited links
without using Javascript. 
 
For example: 
 
<style> 
   a#link1:visited { background-image: url(/log?link1_was_visited); } 
   a#link2:visited { background-image: url(/log?link2_was_visited); } 
 </style> 
 <a href="http://google.com"; id="link1"> 
 <a href="http://yahoo.com"; id="link2"> 
 
If link1 (http://google.com) has been visited, the browser will make a request 
back to the server to retrieve the background for the #link1 rule. By 
appending a different URL argument to each rule we can determine which of the 
links were visited. Please note that this requires no client-side scripting 
whatsoever, and only relies on the availability of CSS. 
 
The following website demonstrates a working exploit of this vulnerability: 
http://www.whattheinternetknowsaboutyou.com/ 
 
Mark.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (60, 'testing'), (50, 'unstable')
Architecture: i386 (i386)

Kernel: Linux 2.6.26-2-486
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages midori depends on:
ii  dbus-x11                    1.2.16-2     simple interprocess messaging syst
ii  libatk1.0-0                 1.30.0-1     The ATK accessibility toolkit
ii  libc6                       2.10.2-2     GNU C Library: Shared libraries
ii  libcairo2                   1.8.8-2      The Cairo 2D vector graphics libra
ii  libdbus-1-3                 1.2.16-2     simple interprocess messaging syst
ii  libdbus-glib-1-2            0.82-2       simple interprocess messaging syst
ii  libfontconfig1              2.8.0-2      generic font configuration library
ii  libfreetype6                2.3.11-1     FreeType 2 font engine, shared lib
ii  libglib2.0-0                2.24.0-1     The GLib library of C routines
ii  libgtk2.0-0                 2.18.3-1     The GTK+ graphical user interface 
ii  libjs-mootools              1.2.4-1      compact JavaScript framework
ii  libnotify1 [libnotify1-gtk2 0.4.5-1      sends desktop notifications to a n
ii  libpango1.0-0               1.26.1-1     Layout and rendering of internatio
ii  libsoup2.4-1                2.28.2-1     an HTTP library implementation in 
ii  libsqlite3-0                3.6.23.1-1   SQLite 3 shared library
ii  libunique-1.0-0             1.1.6-1      Library for writing single instanc
ii  libwebkit-1.0-2             1.1.17-2     Web content engine library for Gtk
ii  libx11-6                    2:1.2.2-1    X11 client-side library
ii  libxml2                     2.7.6.dfsg-1 GNOME XML library

Versions of packages midori recommends:
ii  gnome-icon-theme              2.28.0-1   GNOME Desktop icon theme

midori suggests no packages.

-- no debconf information




-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to