Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Safari XMLHttpRequest HTTP header injection

from [Richard Moore] Network Security [Permanent Link]
Subject: [Full-disclosure] Safari XMLHttpRequest HTTP header injection
Date: Mon, 25 Jun 2007 12:03:18 +0100 
Westpoint Security Advisory
---------------------------

Title:        Safari XMLHttpRequest HTTP header injection
Risk Rating:  Low
Platforms:    MacOS and Windows
Author:       Richard Moore <rich@westpoint.ltd.uk>
Date:         25 June 2007
Advisory ID#: wp-07-0002
URL:          http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt
CVE:          CVE-2007-2401

Overview
--------

The XMLHttpRequest object is intended to enforce a same-origin
security policy, and to prevent the injection of HTTP headers that
can be used maliciously. Unpatched releases of Safari on both Windows
and MacOS X allow JavaScript to bypass these restrictions. It is
possible to insert arbitrary HTTP headers into the request, including
the Host header.

Apple has released APPLE-SA-2007-06-22 Security Update 2007-006, and
APPLE-SA-2007-06-22 Safari 3 Beta Update 3.0.2 which address this
issue.

Details
-------

It is possible to bypass the security restrictions of the XMLHttpRequest
setRequestHeader function to include arbitrary headers by specifying
values containing newline characters. For example, a request such as
this is treated as valid:

xmlhttp.setRequestHeader('Foo', 'baa\nHost: test\n');

and results in:

GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Accept-Language: en
Foo: baa
Host: test

Impact
------

This allows a malicious site to cause the user's browser to attack
other sites that are virtual servers on the same IP address (eg. via
SQL injection or cross-site scripting). Potentially any header can be
injected. If the user is accessing the web via a proxy then potentially
any site can be attacked.

Timeline
--------

14/06/2007      Apple informed of the vulnerability
22/06/2007      Patch released
25/06/2007      Confirmed that the fix addresses the issue
25/06/2007      Westpoint advisory release

-- 
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Safari XMLHttpRequest HTTP header injection, Richard Moore <=
Previous by Date:  Re: [Full-disclosure] "run as" local denial-of-service enables administrative account processes to be killed, KJK::Hyperion
Next by Date:  [GOODFELLAS - VULN] BarCodeAx.dll v. 4.9 ActiveX Control Remote Stack Buffer Overflow, GOODFELLAS SRT
Previous by Thread:  [Full-disclosure] "run as" local denial-of-service enables administrative account processes to be killed, Eitan Caspi
Next by Thread:  [GOODFELLAS - VULN] BarCodeAx.dll v. 4.9 ActiveX Control Remote Stack Buffer Overflow, GOODFELLAS SRT
Indexes:  [Date] [Thread] [Top] [All Lists]