|
|
|
|
| |
Credit:
The information has been provided by Richard Moore.
The original article can be found at: http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt
|
| |
It is possible to bypass the security restrictions of the XMLHttpRequest setRequestHeader function to include arbitrary headers by specifying values containing newline characters. For example, a request such as this is treated as valid:
xmlhttp.setRequestHeader('Foo', 'baa\nHost: test\n');
and results in:
GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Accept-Language: en
Foo: baa
Host: test
Impact:
This allows a malicious site to cause the user's browser to attack other sites that are virtual servers on the same IP address (eg. via SQL injection or cross-site scripting). Potentially any header can be injected. If the user is accessing the web via a proxy then potentially any site can be attacked.
Timeline:
14/06/2007 - Apple informed of the vulnerability
22/06/2007 - Patch released
25/06/2007 - Confirmed that the fix addresses the issue
25/06/2007 - Westpoint advisory release
CVE Information:
CVE-2007-2401
|
|
|
|
|
