Safari XMLHttpRequest HTTP header injection

From: Richard Moore <rich@xxxxxxxxxxxxxxxx>
Date: Mon, 25 Jun 2007 12:03:18 +0100

Westpoint Security Advisory
---------------------------

Title: Safari XMLHttpRequest HTTP header injection
Risk Rating: Low
Platforms: MacOS and Windows
Author: Richard Moore <rich@xxxxxxxxxxxxxxxx>
Date: 25 June 2007
Advisory ID#: wp-07-0002
URL: http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt
CVE: CVE-2007-2401

Overview
--------

The XMLHttpRequest object is intended to enforce a same-origin
security policy, and to prevent the injection of HTTP headers that
can be used maliciously. Unpatched releases of Safari on both Windows
and MacOS X allow JavaScript to bypass these restrictions. It is
possible to insert arbitrary HTTP headers into the request, including
the Host header.

Apple has released APPLE-SA-2007-06-22 Security Update 2007-006, and
APPLE-SA-2007-06-22 Safari 3 Beta Update 3.0.2 which address this
issue.

Details
-------

It is possible to bypass the security restrictions of the XMLHttpRequest
setRequestHeader function to include arbitrary headers by specifying
values containing newline characters. For example, a request such as
this is treated as valid:

xmlhttp.setRequestHeader('Foo', 'baa\nHost: test\n');

and results in:

GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Accept-Language: en
Foo: baa
Host: test

Impact
------

This allows a malicious site to cause the user's browser to attack
other sites that are virtual servers on the same IP address (eg. via
SQL injection or cross-site scripting). Potentially any header can be
injected. If the user is accessing the web via a proxy then potentially
any site can be attacked.

Timeline
--------

14/06/2007 Apple informed of the vulnerability
22/06/2007 Patch released
25/06/2007 Confirmed that the fix addresses the issue
25/06/2007 Westpoint advisory release

--
Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031

Prev by Date: Re: Re: [MajorSecurity Advisory #47]Simple Machines Forum (SMF) - Session fixation Issue
Next by Date: "run as" local denial-of-service enables administrative account processes to be killed
Previous by thread: Papoo CMS 3.6 - Access Restriction Bypass
Next by thread: "run as" local denial-of-service enables administrative account processes to be killed
Index(es):
- Date
- Thread

Relevant Pages

[Full-disclosure] Safari XMLHttpRequest HTTP header injection
... Westpoint Security Advisory ... The XMLHttpRequest object is intended to enforce a same-origin ... Unpatched releases of Safari on both Windows ... possible to insert arbitrary HTTP headers into the request, ...
(Full-Disclosure)
[NT] Cumulative Security Update for Internet Explorer (MS04-025)
... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
(Securiteam)
[NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
(Securiteam)
Re: The Myth of the secure Mac
... OEM Windows XP Home goes for a bit under $100. ... >> secure than Home. ... Though this really has nothing to do with security. ... Microsoft counts on third-party developers to provide more ...
(comp.sys.mac.advocacy)
SecurityFocus Microsoft Newsletter #120
... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows File Protection Signed File Replacement... ... PlatinumFTPServer Information Disclosure Vulnerability ...
(Focus-Microsoft)