Apple Safari XMLHttpRequest execute code

safari-xmlhttprequest-execute-code (20124)

High Risk

Description:

Safari Web browser, Apple Safari RSS, Omni Group OmniWeb, Mac OS, and Mac OS X Server could allow a remote attacker to execute arbitrary code. An attacker can bypass security restrictions of the XMLHttpRequest component and embed malicious JavaScript within a specially-crafted HTML file which, once the victim loads the file, would allow the attacker to execute arbitrary code on the system with privileges of the local domain.

Platforms Affected:

• Apple, Mac OS X 10.3.9
• Apple, Mac OS X Server 10.3.9
• Apple, Safari 1.2
• Omni Group, OmniWeb 5.1

Remedy:

For Mac OS:
Apply Security Update 2005-04-15, as listed in Apple Security Content Article 301327. See References.

Consequences:

Gain Access

References:

• Apple Security Content Article 301327, About the security content of the Mac OS X 10.3.9 Update at http://docs.info.apple.com/article.html?artnum=301327.
• BugTraq Mailing List, Sat Apr 16 2005 - 01:15:21 CDT , AppleWebKit XMLHttpRequest arbitrary file disclosure vulnerability at http://archives.neohapsis.com/archives/bugtraq/2005-04/0239.html.
• CIAC INFORMATION BULLETIN P-185, Apple Mac OS X v10.3.9 Security Update at http://www.ciac.org/ciac/bulletins/p-185.shtml.
• OmniWeb Web site, The Omni Group - Applications - OmniWeb at http://www.omnigroup.com/applications/omniweb/.
• Safari RSS Web site, Apple - Mac OS X - Safari RSS at http://www.apple.com/macosx/features/safari/.
• BID-13202: Apple WebCore Framework XMLHttpRequests Remote Code Execution Vulnerability
• CVE-2005-0976: AppleWebKit (WebCore and WebKit), as used in multiple products such as Safari 1.2 and OmniGroup OmniWeb 5.1, allows remote attackers to read arbitrary files via the XMLHttpRequest Javascript component, as demonstrated using automatically mounted disk images and file:// URLs.
• US-CERT VU#998369: Apple Web Kit-based browsers may allow remote access to local filesystem contents

Reported:

Apr 16, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page