Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2010-1236

The protocolIs function in platform/KURLGoogle.cpp in WebCore in WebKit before r55822, as used in Google Chrome before 4.1.249.1036 and Flock Browser 3.x before 3.0.0.4112, does not properly handle whitespace at the beginning of a URL, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted javascript: URL, as demonstrated by a \x00javascript:alert sequence.

Related bugs and status

CVE-2010-1236 (Candidate) is related to these bugs:

Bug #584016: security update available for chromium

		In	Importance	Status
584016	security update available for chromium	chromium-browser (Ubuntu)	Undecided	Fix Released
584016	security update available for chromium	chromium-browser (Ubuntu Lucid)	Undecided	Fix Released
584016	security update available for chromium	chromium-browser (Ubuntu Maverick)	Undecided	Fix Released

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://code.google.com...
CONFIRM: http://googlechromerel...
CONFIRM: http://codereview.chro...
CONFIRM: http://flock.com/secur...
CONFIRM: https://bugs.webkit.or...
SUSE: SUSE-SR:2011:002
SECUNIA: 43068
VUPEN: ADV-2011-0212
CONFIRM: http://src.chromium.or...
OVAL: oval:org.mitre.oval:de...