Apple Safari: cookie stealing

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Apple Safari: cookie stealing
From: Robert Swiecki <jagger@xxxxxxxxxxx>
Date: Wed, 13 Jun 2007 12:34:42 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird Mnenhy/0.7.5.0

There is a vulnerability in Apple Safari, that allows an attacker to
steal a cookie belonging to the arbitrary domain or/and fill the browser
window with an arbitrary content, whereas the url bar and the browser's
window title is derived from the selected domain.

The flaw exists in the javascript's window.setTimeout() implementation.
The content of the timer-triggered function is processed after
window.location property is changed.

Tested with Apple Safari 3.0 (522.11.3) on MS Windows 2003 SE SP2

http://alt.swiecki.net/safc.html

-- 
Robert Swiecki
http://www.swiecki.net

Follow-Ups:
- Re: [Full-disclosure] Apple Safari: urlbar/window title spoofing
  - From: Robert Swiecki
- Re: [Full-disclosure] Apple Safari: cookie stealing
  - From: Michal Zalewski

Prev by Date: Re: PHP parse_str() arbitrary variable overwrite
Next by Date: Re: Windows Oday release
Previous by thread: [USN-474-1] xscreensaver vulnerability
Next by thread: Re: [Full-disclosure] Apple Safari: cookie stealing
Index(es):
- Date
- Thread