Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2007-2383

Publication date 30 April 2007

Last updated 24 July 2024

Ubuntu priority

Low

Why this priority?

The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves the data through a URL in the SRC attribute of a SCRIPT element and captures the data using other JavaScript code, aka "JavaScript Hijacking."

Read the notes from the security team

Status

Package Ubuntu Release Status
libhtml-prototype-perl 7.04 feisty Ignored
6.10 edgy Ignored
6.06 LTS dapper Ignored

Notes

jdstrand

This CVE is general class of attacks called Javascript Hijacking. It's impact is largely dependent on how the developer a) uses the library, b) configures the library and c) interacts with the server. While the paper recommends defeating hijacking via both of two means, the CVE states that Prototype does not have "an associated protection scheme". Prototype can be configured to use POST instead of GET, and with server side scripting (as proposed in the paper), can thwart the attack.