Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Macintosh :: bu-141.htm

Apple Safari cross-domain XML theft vulnerability



Apple Safari cross-domain XML theft vulnerability
Apple Safari cross-domain XML theft vulnerability



Hi,

Safari prior to version 4 may permit an evil web page to steal
arbitrary XML data cross-domain.

This is accomplished by abusing a relatively obscure cross-domain
access point which was completely missing a cross-domain access check.
The access point in question is the document() function in XSL. This
is best illustrated with a sample evil XSL file which abuses this
function:

xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
xmlns:str="http://exslt.org/strings" extension-element-prefixes="str"> 



Below, you should see e-mail stolen cross-domain!

To mount the attack, the attacker would serve a web page which has XML MIME type and requests to be styled by the evil stylesheet: irrelevant There are a number of interesting XML-based formats you might want to steal including authenticated RSS, XML-formatted AJAX-y responses, and XHTML. Full technical details: http://scary.beasts.org/security/CESA-2009-008.html Blog post: http://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-also-fixes-cross-domain.html (includes 1-click demo) Cheers Chris


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH