<<< Date Index >>>     <<< Thread Index >>>

Input Validation Vulnerability in Apple Safari version 1.2.4 v125.12



Input Validation Vulnerability in Apple Safari version 1.2.4 v125.12

Apple's Safari web browser ignores the Content-type: sent by the web server. As a result, plain text is rendered as HTML. This is obviously undesirable; a text file could contain HTML and carry out an XSS attack.

For an example of this in action, visit:

http://tigger.uic.edu/htbin/perlwrap/jrockw2/safari_test.pl

This will only work if you are on the UIC campus, if you have a login at UIC, UIUC, or UIS you can visit:

https://tigger.uic.edu/htbin/perlwrap-auth/jrockw2/safari_test.pl

Anyway, for the 99.99% of you not affiliated with the University of Illinois, this script simply prints:
 --
Content-type: text/plain

<HTML><BODY><FONT color="red">Your browser contains a security problem if this text is red.</FONT></BODY></HTML>
 --

sans the --'s, obviously.

In Safari, the text is red. In Firefox 1.0, the text is rendered appropriately; i.e. the user sees the tag soup.

The security problem is that servers serving HTML may be taking measures to prevent XSS attacks; i.e. they convert < to &lt;. These servers, when serving plain text, may not do this (because it is unnecessary and undesirable). Safari opens up a hole where a malicious user could inject HTML into a plain text output and perform an XSS attack that would not work otherwise (with a proper browser).

The latest version of this advisory is viewable at http://tigger.uic.edu/~jrockw2/safari_20050204.txt

Note that it won't render properly in Safari :-)

Regards,
--
Jonathan Rockway <jrockway@xxxxxxxxxxxx>
Student - University of Illinois at Chicago
http://www.uic.edu/~jrockw2/