lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <467FA0F6.10600@westpoint.ltd.uk>
Date: Mon, 25 Jun 2007 12:03:18 +0100
From: Richard Moore <rich@...tpoint.ltd.uk>
To: bugtraq@...urityfocus.com,
	Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Safari XMLHttpRequest HTTP header injection

Westpoint Security Advisory
---------------------------

Title:        Safari XMLHttpRequest HTTP header injection
Risk Rating:  Low
Platforms:    MacOS and Windows
Author:       Richard Moore <rich@...tpoint.ltd.uk>
Date:         25 June 2007
Advisory ID#: wp-07-0002
URL:          http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt
CVE:          CVE-2007-2401

Overview
--------

The XMLHttpRequest object is intended to enforce a same-origin
security policy, and to prevent the injection of HTTP headers that
can be used maliciously. Unpatched releases of Safari on both Windows
and MacOS X allow JavaScript to bypass these restrictions. It is
possible to insert arbitrary HTTP headers into the request, including
the Host header.

Apple has released APPLE-SA-2007-06-22 Security Update 2007-006, and
APPLE-SA-2007-06-22 Safari 3 Beta Update 3.0.2 which address this
issue.

Details
-------

It is possible to bypass the security restrictions of the XMLHttpRequest
setRequestHeader function to include arbitrary headers by specifying
values containing newline characters. For example, a request such as
this is treated as valid:

xmlhttp.setRequestHeader('Foo', 'baa\nHost: test\n');

and results in:

GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Accept-Language: en
Foo: baa
Host: test

Impact
------

This allows a malicious site to cause the user's browser to attack
other sites that are virtual servers on the same IP address (eg. via
SQL injection or cross-site scripting). Potentially any header can be
injected. If the user is accessing the web via a proxy then potentially
any site can be attacked.

Timeline
--------

14/06/2007	Apple informed of the vulnerability
22/06/2007	Patch released
25/06/2007	Confirmed that the fix addresses the issue
25/06/2007	Westpoint advisory release

-- 
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ