lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <90d6eea4e8f0b3216d26c631c3526f73@uic.edu>
Date: Fri, 4 Feb 2005 06:10:10 -0600
From: Jonathan Rockway <jrockw2@....edu>
To: bugtraq@...urityfocus.com
Cc: product-security@...le.com
Subject: Input Validation Vulnerability in Apple Safari version 1.2.4 v125.12


Input Validation Vulnerability in Apple Safari version 1.2.4 v125.12

Apple's Safari web browser ignores the Content-type: sent by the web 
server.   As a result, plain text is rendered as HTML.  This is 
obviously undesirable; a text file could contain HTML and carry out an 
XSS attack.

For an example of this in action, visit:

http://tigger.uic.edu/htbin/perlwrap/jrockw2/safari_test.pl

This will only work if you are on the UIC campus, if you have a login 
at UIC, UIUC, or UIS you can visit:

https://tigger.uic.edu/htbin/perlwrap-auth/jrockw2/safari_test.pl

Anyway, for the 99.99% of you not affiliated with the University of 
Illinois, this script simply prints:
  --
Content-type: text/plain

<HTML><BODY><FONT color="red">Your browser contains a security problem 
if this text is red.</FONT></BODY></HTML>
  --

sans the --'s, obviously.

In Safari, the text is red.  In Firefox 1.0, the text is rendered 
appropriately; i.e. the user sees the tag soup.

The security problem is that servers serving HTML may be taking 
measures to prevent XSS attacks; i.e. they convert < to &lt;.  These 
servers, when serving plain text, may not do this (because it is 
unnecessary and undesirable).  Safari opens up a hole where a malicious 
user could inject HTML into a plain text output and perform an XSS 
attack that would not work otherwise (with a proper browser).

The latest version of this advisory is viewable at 
http://tigger.uic.edu/~jrockw2/safari_20050204.txt

Note that it won't render properly in Safari :-)

Regards,
-- 
Jonathan Rockway <jrockway@...puter.org>
Student - University of Illinois at Chicago
http://www.uic.edu/~jrockw2/



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ