Edit report at https://bugs.php.net/bug.php?id=67513&edit=1
ID: 67513
User updated by: phpbugs at kennel17 dot co dot uk
Reported by: phpbugs at kennel17 dot co dot uk
Summary: Visited links are indistinguishable from unvisited
links
Status: Assigned
Type: Bug
Package: Website problem
Operating System: N/A
PHP Version: 5.5.13
Assigned To: levim
Block user comment: N
Private report: N
New Comment:
Well, if a site has already been hacked then there are lots of things that are
compromised, and visited links are probably at the bottom of that list in terms
of risk/severity. It doesn't make it an attack vector in itself.
Indeed, if I have injected JS into a page and want to detect visited links,
then the first thing I do is inject a <style> tag into the page which styles
them how I want.
Therefore I still contend that there is never a reason for a site to worry
about visited link styling from a security perspective.
Previous Comments:
------------------------------------------------------------------------
[2014-06-26 17:24:33] [email protected]
There definitely was a problem, but only when another type of compromise had
been obtained (such as arbitrary JavaScript execution). Here's one such article
that explains it: http://dbaron.org/mozilla/visited-privacy
To be clear, I'm not opposed to different colors but I just want to make sure
all the security implications have all been taken care of first.
------------------------------------------------------------------------
[2014-06-25 23:15:37] phpbugs at kennel17 dot co dot uk
> I am not sure if the issues are resolved in all major versions
> of browsers, but it was an attack vector at one point to
> distinguish visited and unvisited links.
There is a potential information leak if the browser allows the site to know
which links have been visited, but the issue is only about the browser leaking
user information (history) to sites.
This is not, nor has it ever been, an 'attack vector' for websites and is
absolutely no reason not to style visited links. It just means that you are
limited in what styling you can apply. However, for most situations the only
thing you'll want to change is the colour, which is supported by all browsers.
------------------------------------------------------------------------
[2014-06-25 16:35:07] [email protected]
Fix for your side report (connected with PHP versions) has been commited. It
will take some time until it will spread across all our mirrors.
------------------------------------------------------------------------
[2014-06-25 15:51:46] [email protected]
I am not sure if the issues are resolved in all major versions of browsers, but
it was an attack vector at one point to distinguish visited and unvisited links.
------------------------------------------------------------------------
[2014-06-25 15:39:06] [email protected]
"(On an unrelated note, the issue tracker refused to accept my submission if I
selected 'Irrelevant' as the PHP version. Therefore this bug is randomly
logged against a random PHP version)"
Thanks for the catch, I will look into it.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=67513
--
Edit this bug report at https://bugs.php.net/bug.php?id=67513&edit=1
--
PHP Webmaster List Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
