Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17340
HistoryJun 25, 2007 - 12:00 a.m.

[Full-disclosure] Safari XMLHttpRequest HTTP header injection

2007-06-2500:00:00
vulners.com
20
JSON

Westpoint Security Advisory

Title: Safari XMLHttpRequest HTTP header injection
Risk Rating: Low
Platforms: MacOS and Windows
Author: Richard Moore <[email protected]>
Date: 25 June 2007
Advisory ID#: wp-07-0002
URL: http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt
CVE: CVE-2007-2401

Overview

The XMLHttpRequest object is intended to enforce a same-origin
security policy, and to prevent the injection of HTTP headers that
can be used maliciously. Unpatched releases of Safari on both Windows
and MacOS X allow JavaScript to bypass these restrictions. It is
possible to insert arbitrary HTTP headers into the request, including
the Host header.

Apple has released APPLE-SA-2007-06-22 Security Update 2007-006, and
APPLE-SA-2007-06-22 Safari 3 Beta Update 3.0.2 which address this
issue.

Details

It is possible to bypass the security restrictions of the XMLHttpRequest
setRequestHeader function to include arbitrary headers by specifying
values containing newline characters. For example, a request such as
this is treated as valid:

xmlhttp.setRequestHeader('Foo', 'baa\nHost: test\n');

and results in:

GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Accept-Language: en
Foo: baa
Host: test

Impact

This allows a malicious site to cause the user's browser to attack
other sites that are virtual servers on the same IP address (eg. via
SQL injection or cross-site scripting). Potentially any header can be
injected. If the user is accessing the web via a proxy then potentially
any site can be attacked.

Timeline

14/06/2007 Apple informed of the vulnerability
22/06/2007 Patch released
25/06/2007 Confirmed that the fix addresses the issue
25/06/2007 Westpoint advisory release


Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Related

prion 1
cert 1
cve 1
nessus 1
seebug 1
prion
prion
Crlf injection
2007-06-25 19:30:00
cert
cert
Apple WebCore XMLHttpRequest fails to properly serialize headers into an HTTP request
2007-06-22 00:00:00
cve
cve
CVE-2007-2401
2007-06-25 19:30:00
nessus
nessus
Mac OS X Multiple Vulnerabilities (Security Update 2007-006)
2007-06-25 00:00:00
seebug
seebug
Apple iPhone多个安全漏洞
2007-08-02 00:00:00
JSON
Related for SECURITYVULNS:DOC:17340
prion1cert1cve1nessus1seebug1