The Prototype (prototypejs) framework before 1.5.1 RC3 exchanges data using
which allows remote attackers to obtain the data via a web page that
retrieves the data through a URL in the SRC attribute of a SCRIPT element
It's impact is largely dependent on how the developer a) uses the
library, b) configures the library and c) interacts with the server. While
the paper recommends defeating hijacking via both of two means, the CVE
states that Prototype does not have "an associated protection scheme".
Prototype can be configured to use POST instead of GET, and with server
side scripting (as proposed in the paper), can thwart the attack.
Updated: 2016-01-26 17:28:34 UTC (commit 10507)