SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Apple Safari Vendors:   Apple Computer
Apple Safari Bugs Let Remote Users Modify the Address Bar and Conduct Cross-Domain Scripting Attacks
SecurityTracker Alert ID:  1018282
SecurityTracker URL:  http://securitytracker.com/id/1018282
CVE Reference:   CVE-2007-2398, CVE-2007-2400   (Links to External Site)
Updated:  Jun 23 2007
Original Entry Date:  Jun 22 2007
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 3.0, 3.0.1
Description:   Two vulnerabilities were reported in Safari. A remote user can modify the address bar. A remote user can conduct cross-domain scripting attacks.

A remote user can create specially crafted HTML that, when loaded by the target user, will modify the contents of the address bar on the target user's browser [CVE-2007-2398].

Mac OS X systems are not affected by this vulnerability.

Robert Swiecki reported this vulnerability.

A demonstration exploit is available at:

http://alt.swiecki.net/saff.html

A remote user can create specially crafted HTML that, when loaded by the target user, will exploit a race condition in the browser to enable Javascript running in the context of one page to modify a page in a different security domain [CVE-2007-2400].

Both Windows and Mac OS X systems are affected.

Apple credits Lawrence Lai, Stan Switzer, Ed Rowe of Adobe Systems, Inc with reporting this vulnerability.

Impact:   A remote user can create HTML that, when loaded by the target user, will modify the address bar on the target user's browser.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with an arbitrary site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   The vendor has issued a fixed version (Beta 3.0.2), available via the Apple Software Update application, or Apple's Safari download site at:

http://www.apple.com/safari/download/

For Mac OS X
The download file is named: "Safari302Beta.dmg"
Its SHA-1 digest is: b8ee8d7c1ac3237de2ab0524077a20bae7f55001

Safari for Windows XP or Vista
The download file is named: "SafariSetup.exe"
Its SHA-1 digest is: 3cbbf5a09ece4cac7f35b79f67b6990d5c0565f3

Safari+QuickTime for Windows XP or Vista
The download file is named: "SafariQuickTimeSetup.exe"
Its SHA-1 digest is: 7f0ea984bbdcbba4a3a85d785f2fdb810ed3954a

Vendor URL:  www.apple.com/safari (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:   UNIX (OS X), Windows (Vista), Windows (XP)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 1 2007 (Apple Issues Fix for iPhone) Apple Safari Bugs Let Remote Users Modify the Address Bar and Conduct Cross-Domain Scripting Attacks   (Apple Product Security <product-security-noreply@lists.apple.com>)
Apple has released a fix for iPhone.
Apr 16 2008 (Apple Issues New Fix) Apple Safari Bugs Let Remote Users Modify the Address Bar and Conduct Cross-Domain Scripting Attacks
Apple has issued a new fix for Safari.



 Source Message Contents

Date:  Fri, 22 Jun 2007 14:04:53 -0700
Subject:  APPLE-SA-2007-06-22 Safari 3 Beta Update 3.0.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

APPLE-SA-2007-06-22 Safari 3 Beta Update 3.0.2

Safari
CVE-ID:  CVE-2007-2398
Available for:  Windows XP or Vista
Impact:  A maliciously crafted website may control the contents of
the address bar
Description:  In Safari Beta 3.0.1 for Windows, a timing issue allows
a web page to change the contents of the address bar without loading
the contents of the corresponding page.  This could be used to spoof
the contents of a legitimate site, allowing user credentials or other
information to be gathered.  This update addresses the issue by
restoring the address bar contents if a request for a new web page is
terminated.  This issue does not affect Mac OS X systems.

Safari
CVE-ID:  CVE-2007-2400
Available for:  Mac OS X v10.4.9 or later, Windows XP or Vista
Impact:  Visiting a malicious website may allow cross-site scripting
Description:  Safari's security model prevents JavaScript in remote
web pages from modifying pages outside of their domain.  A race
condition in page updating combined with HTTP redirection may allow
JavaScript from one page to modify a redirected page.  This could
allow cookies and pages to be read or arbitrarily modified.  This
update addresses the issue by correcting access control to window
properties.  Credit to Lawrence Lai, Stan Switzer, Ed Rowe of Adobe
Systems, Inc for reporting this issue.

WebCore
CVE-ID:  CVE-2007-2401
Available for:  Mac OS X v10.4.9 or later, Windows XP or Vista
Impact:  Visiting a malicious website may allow cross-site requests
Description:  An HTTP injection issue exists in XMLHttpRequest when
serializing headers into an HTTP request.  By enticing a user to
visit a maliciously crafted web page, an attacker could conduct
cross-site scripting attacks.  This update addresses the issue by
performing additional validation of header parameters.  Credit to
Richard Moore of Westpoint Ltd for reporting this issue.

WebKit
CVE-ID:  CVE-2007-2399
Available for:  Mac OS X v10.4.9 or later, Windows XP or Vista
Impact:  Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description:  An invalid type conversion when rendering frame sets
could lead to memory corruption.  Visiting a maliciously crafted web
page may lead to an unexpected application termination or arbitrary
code execution.  Credit to Rhys Kidd of Westnet for reporting this
issue.

Note:  This update will appear for systems running Safari 3 Beta.  It
includes the entire contents of Security Update 2007-006.  Security
Update 2007-006 itself will not appear via Software Update for
systems that have installed Safari 3 Beta.

Safari 3 Beta Update 3.0.2 is available via the Apple Software Update
application, or Apple's Safari download site at:
http://www.apple.com/safari/download/

For Mac OS X
The download file is named:  "Safari302Beta.dmg"
Its SHA-1 digest is:  b8ee8d7c1ac3237de2ab0524077a20bae7f55001

Safari for Windows XP or Vista
The download file is named:  "SafariSetup.exe"
Its SHA-1 digest is:  3cbbf5a09ece4cac7f35b79f67b6990d5c0565f3

Safari+QuickTime for Windows XP or Vista
The download file is named:  "SafariQuickTimeSetup.exe"
Its SHA-1 digest is:  7f0ea984bbdcbba4a3a85d785f2fdb810ed3954a

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.6 (Build 6060)

iQEVAwUBRnw3ccgAoqu4Rp5tAQgYvwf/VJn4IiZRU7UDu+bDn5b9QFfZ+HqvukiY
6lqba2GXPO7WS6wqkFafUVDBB/PDsQ75BbzPwi1Mr/UDBxUj6d5OvnyUDJ0D9bG8
uDQujhZazEUuhDYom+IqC6OgVr1jMF70RI/nPNr14GGFXLF+IuIlTtLu9UHi5nME
OzQ+W6THIBxhfckgP0CGkh5wi7BdSSfo0UviY+tg8+F1GQieNysk1FNtj3JspQOD
NB/3v6bmPlFwJayNqVjYlduIa6ycCvJhpeupWFzNqOjeEIwlhlv3BSsrnWPZVd4f
YiibgfkYXMO0f0UPx3iwzimux88mlD2wvgqBn7lEfobVsCTJD5dCPA==
=vzAk
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC