SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Browser)  >   Apple Safari Vendors:   Apple Computer
Safari for Windows Lets Remote Users Upload Arbitrary File
SecurityTracker Alert ID:  1018575
SecurityTracker URL:  http://securitytracker.com/id/1018575
CVE Reference:   CVE-2007-4424   (Links to External Site)
Updated:  Apr 24 2008
Original Entry Date:  Aug 16 2007
Impact:   Modification of user information
Exploit Included:  Yes  
Version(s): 3.0.3
Description:   A vulnerability was reported in Safari. A remote user can cause arbitrary files to be uploaded without user interaction.

The Windows version of the browser downloads files automatically without user approval, including executables. The default location is the Windows Desktop.

A remote user can create HTML that, when loaded by the target user, will cause an arbitrary file to be written to the target user's desktop.

Laurent Gaffie reported this vulnerability.

Impact:   A remote user can cause arbitrary files to be uploaded.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.apple.com/safari (Links to External Site)
Cause:   Access control error, State error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  11 Aug 2007 15:09:59 -0000
Subject:  Safari for windows remote arbitry file upload

Product: Safari browser for windows
Tested on: Last version ( 3.0.3 )
Download url :http://www.apple.com/safari/
Demo url: http://images.apple.com/movies/us/apple/safari/2007/wwdc/apple-safari_672x416.mov
Bug: Remote arbitry file upload
Impact: Critical
Fix Available: No

-------------------------------------------------------

1) Introduction
2) Bug
3) Proof of concept
4) Conclusion

===============
1) Introduction
===============

"Now you can enjoy worry-free web browsing on any computer.
Apple engineers designed Safari to be secure from day one."

======
2) Bug
======
safari browser doesn't prompt for a download, it just download the file and send it directly 
on the desktop, which is totally unsecure on a windows operating system.


==================
3)proof of concept
==================
http://dams083.free.fr/tmp/index.php
( will upload a .pif directly on your desktop without any prompt ... )



=============
4) Conclusion
=============
Any potentially dangerous file should be prompted(like .exe , .com , .pif , etc ) 
before uploading the file .

regards laurent gaffié

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC