Apple Safari 'runscript' Function Lets Remote Users Execute Code
|
|
SecurityTracker Alert ID: 1010167
|
|
CVE Reference: CAN-2004-0486
(Links to External Site)
|
Updated: May 22 2004
|
Original Entry Date: May 17 2004
|
Impact: Execution of arbitrary code via network
|
Exploit Included: Yes
|
Description: A vulnerability was reported in Apple Mac OS X Safari browser in the runscript function of the 'Help.app' application. A remote user can create HTML that, when loaded by the target user, will execute code on the target user's system.
It is reported that a remote user can create an HTML link that, when loaded, will instruct the help application to open a specified
application on the target user's computer.
It is also reported that Safari browser stores '.dmg' files in a known location.
As a result, a remote user may be able to create HTML that downloads a script within a DMG file and then calls the Help application
to execute the script from the known location.
A demonstration exploit URL is of the following format:
help:runscript=MacHelp.help/Contents/Resources/English.lproj/
shrd/OpnApp.scpt string='[location of file]'">
A demonstration exploit is available at:
http://www.insecure.ws/safari/0x04_test.html
The
original advisory is available at:
http://fundisom.com/owned/warning
The vendor was reportedly notified on February 23, 2004.
|
Impact: A remote user can create HTML that, when loaded by the target user, will execute specified applications on the target user's system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.apple.com/ (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: UNIX (OS X)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
