Input Validation Vulnerability in Apple Safari version 1.2.4 v125.12

From: Jonathan Rockway (jrockw2_at_uic.edu)
Date: 02/04/05

  • Next message: Martin Schulze: "[SECURITY] [DSA 667-1] New PostgreSQL packages fix arbitrary library loading"
    Date: Fri, 4 Feb 2005 06:10:10 -0600
    To: bugtraq@securityfocus.com
    
    

    Input Validation Vulnerability in Apple Safari version 1.2.4 v125.12

    Apple's Safari web browser ignores the Content-type: sent by the web
    server. As a result, plain text is rendered as HTML. This is
    obviously undesirable; a text file could contain HTML and carry out an
    XSS attack.

    For an example of this in action, visit:

    http://tigger.uic.edu/htbin/perlwrap/jrockw2/safari_test.pl

    This will only work if you are on the UIC campus, if you have a login
    at UIC, UIUC, or UIS you can visit:

    https://tigger.uic.edu/htbin/perlwrap-auth/jrockw2/safari_test.pl

    Anyway, for the 99.99% of you not affiliated with the University of
    Illinois, this script simply prints:
      --
    Content-type: text/plain

    <HTML><BODY><FONT color="red">Your browser contains a security problem
    if this text is red.</FONT></BODY></HTML>
      --

    sans the --'s, obviously.

    In Safari, the text is red. In Firefox 1.0, the text is rendered
    appropriately; i.e. the user sees the tag soup.

    The security problem is that servers serving HTML may be taking
    measures to prevent XSS attacks; i.e. they convert < to &lt;. These
    servers, when serving plain text, may not do this (because it is
    unnecessary and undesirable). Safari opens up a hole where a malicious
    user could inject HTML into a plain text output and perform an XSS
    attack that would not work otherwise (with a proper browser).

    The latest version of this advisory is viewable at
    http://tigger.uic.edu/~jrockw2/safari_20050204.txt

    Note that it won't render properly in Safari :-)

    Regards,

    -- 
    Jonathan Rockway <jrockway@computer.org>
    Student - University of Illinois at Chicago
    http://www.uic.edu/~jrockw2/
    

  • Next message: Martin Schulze: "[SECURITY] [DSA 667-1] New PostgreSQL packages fix arbitrary library loading"