Yesterday I (Francesco `ascii` Ongaro) found a low impact bug: basically it is possible to make the user visit a page that is not listed in the back/next button history. The fun happens when self.location.replace() is pointing to a page that issues an HTTP/1.x 302 Redirect + Location. Both initial and redirect page will not be listed.
Since the bug is really trivial I feel that this amount of information plus a PoC is enough to put everybody in conditions of fully understand the bug.
PoC: http://ascii.ush.it/hack-shadowpage/
Initially I believed that it was just a Mozilla Firefox bug but when I tested the PoC on other browsers it worked flawlessly. So again: it's not remote code execution but works on every browser I tried, and this makes it kinda cool.
Mozilla Firefox 1.5.0.11 (works) Mozilla Firefox 2.0.0.3 (works) GNOME Web Browser 2.16.2/Epiphany (works) Opera 9.20 (works) Microsoft Internet Explorer 7 (works) Microsoft Internet Explorer 6 (works) Microsoft Internet Explorer 5.5 (works) Microsoft Internet Explorer 5 (works) Konqueror 3.5.2 (works) Safari 2.0.4 (419.3) (works)