7:54 AMApple Safari cross-domain XML theft vulnerability
|Safari prior to version 4 may permit an evil web page to steal|
arbitrary XML data cross-domain.
This is accomplished by abusing a relatively obscure cross-domain
access point which was completely missing a cross-domain access check.
The access point in question is the document() function in XSL. This
is best illustrated with a sample evil XSL file which abuses this
Below, you should see e-mail stolen cross-domain!
To mount the attack, the attacker would serve a web page which has XML
MIME type and requests to be styled by the evil stylesheet:
<?xml-stylesheet type="text/xsl" href="safaristealmailbug.xsl"?
There are a number of interesting XML-based formats you might want to
steal including authenticated RSS, XML-formatted AJAX-y responses, and
Full technical details: http://scary.beasts.org/
Blog post: http://scarybeastsecurity.
(includes 1-click demo)
|Total comments: 0|