Westpoint Security Advisory --------------------------- Title: Safari XMLHttpRequest HTTP header injection Risk Rating: Low Platforms: MacOS and Windows Author: Richard Moore <rich@xxxxxxxxxxxxxxxx> Date: 25 June 2007 Advisory ID#: wp-07-0002 URL: http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt CVE: CVE-2007-2401 Overview -------- The XMLHttpRequest object is intended to enforce a same-origin security policy, and to prevent the injection of HTTP headers that can be used maliciously. Unpatched releases of Safari on both Windows and MacOS X allow JavaScript to bypass these restrictions. It is possible to insert arbitrary HTTP headers into the request, including the Host header. Apple has released APPLE-SA-2007-06-22 Security Update 2007-006, and APPLE-SA-2007-06-22 Safari 3 Beta Update 3.0.2 which address this issue. Details ------- It is possible to bypass the security restrictions of the XMLHttpRequest setRequestHeader function to include arbitrary headers by specifying values containing newline characters. For example, a request such as this is treated as valid: xmlhttp.setRequestHeader('Foo', 'baa\nHost: test\n'); and results in: GET / HTTP/1.1 Accept-Encoding: gzip, deflate Accept-Language: en Foo: baa Host: test Impact ------ This allows a malicious site to cause the user's browser to attack other sites that are virtual servers on the same IP address (eg. via SQL injection or cross-site scripting). Potentially any header can be injected. If the user is accessing the web via a proxy then potentially any site can be attacked. Timeline -------- 14/06/2007 Apple informed of the vulnerability 22/06/2007 Patch released 25/06/2007 Confirmed that the fix addresses the issue 25/06/2007 Westpoint advisory release -- Richard Moore, Principal Software Engineer, Westpoint Ltd, Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England Tel: +44 161 237 1028 Fax: +44 161 237 1031
