Apple Safari Incorrectly Renders Text as HTML in Certain Cases
|
|
SecurityTracker Alert ID: 1013087 |
|
SecurityTracker URL: http://securitytracker.com/id/1013087
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 5 2005
|
Impact:
Modification of system information
|
Exploit Included: Yes
|
Version(s): 1.2.4 v125.12
|
Description:
An input validation vulnerability was reported in Apple Safari. The browser incorrectly renders plain text as HTML in certain cases.
Jonathan Rockway reported that the browser ignores the HTTP 'Content-type' header value sent by the web server. As a result, a remote web server can supply plain text that will be rendered as HTML. This may facilitate cross-site scripting attacks where a server does not implement HTML filtering on text output.
A demonstration exploit is provided at:
Content-type: text/plain
<HTML><BODY><FONT color="red">Your browser contains a security problem
if this text is red.</FONT></BODY></HTML>
The original advisory is available at:
http://tigger.uic.edu/~jrockw2/safari_20050204.txt
|
Impact:
The browser incorrectly renders plain text as HTML in certain cases, which may enable cross-site scripting attacks.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.apple.com/ (Links to External Site)
|
Cause:
Input validation error, State error
|
Underlying OS:
UNIX (OS X)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 4 Feb 2005 06:10:10 -0600
Subject: Input Validation Vulnerability in Apple Safari version 1.2.4 v125.12
|
Input Validation Vulnerability in Apple Safari version 1.2.4 v125.12
Apple's Safari web browser ignores the Content-type: sent by the web
server. As a result, plain text is rendered as HTML. This is
obviously undesirable; a text file could contain HTML and carry out an
XSS attack.
For an example of this in action, visit:
http://tigger.uic.edu/htbin/perlwrap/jrockw2/safari_test.pl
This will only work if you are on the UIC campus, if you have a login
at UIC, UIUC, or UIS you can visit:
https://tigger.uic.edu/htbin/perlwrap-auth/jrockw2/safari_test.pl
Anyway, for the 99.99% of you not affiliated with the University of
Illinois, this script simply prints:
--
Content-type: text/plain
<HTML><BODY><FONT color="red">Your browser contains a security problem
if this text is red.</FONT></BODY></HTML>
--
sans the --'s, obviously.
In Safari, the text is red. In Firefox 1.0, the text is rendered
appropriately; i.e. the user sees the tag soup.
The security problem is that servers serving HTML may be taking
measures to prevent XSS attacks; i.e. they convert < to <. These
servers, when serving plain text, may not do this (because it is
unnecessary and undesirable). Safari opens up a hole where a malicious
user could inject HTML into a plain text output and perform an XSS
attack that would not work otherwise (with a proper browser).
The latest version of this advisory is viewable at
http://tigger.uic.edu/~jrockw2/safari_20050204.txt
Note that it won't render properly in Safari :-)
Regards,
--
Jonathan Rockway <jrockway@computer.org>
Student - University of Illinois at Chicago
http://www.uic.edu/~jrockw2/
|
|
