CVE-2008-6059

Publication date 5 February 2009

Last updated 24 July 2024

Description

xml/XMLHttpRequest.cpp in WebCore in WebKit before r38566 does not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
webkit	9.04 jaunty	Not affected
	8.10 intrepid	Not affected
	8.04 LTS hardy	Not affected
	7.10 gutsy	Ignored end of life, was needed
	6.06 LTS dapper	Not in release

Notes

mdeslaur

may not be vulnerable, see debian bug upstream patch is mac and win only. version of webkit in linux needs libsoup for cookie support.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
webkit	Upstream: http://trac.webkit.org/changeset/38566

References

Other references

https://www.cve.org/CVERecord?id=CVE-2008-6059