TUCoPS :: Macintosh :: tb11424.htm

Safari XMLHttpRequest HTTP header injection
Safari XMLHttpRequest HTTP header injection
Safari XMLHttpRequest HTTP header injection

Westpoint Security Advisory

Title:        Safari XMLHttpRequest HTTP header injection
Risk Rating:  Low
Platforms:    MacOS and Windows
Author: Richard Moore  
Date:         25 June 2007
Advisory ID#: wp-07-0002
URL: http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt 
CVE:          CVE-2007-2401


The XMLHttpRequest object is intended to enforce a same-origin
security policy, and to prevent the injection of HTTP headers that
can be used maliciously. Unpatched releases of Safari on both Windows
and MacOS X allow JavaScript to bypass these restrictions. It is
possible to insert arbitrary HTTP headers into the request, including
the Host header.

Apple has released APPLE-SA-2007-06-22 Security Update 2007-006, and
APPLE-SA-2007-06-22 Safari 3 Beta Update 3.0.2 which address this


It is possible to bypass the security restrictions of the XMLHttpRequest
setRequestHeader function to include arbitrary headers by specifying
values containing newline characters. For example, a request such as
this is treated as valid:

xmlhttp.setRequestHeader('Foo', 'baa\nHost: test\n');

and results in:

GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Accept-Language: en
Foo: baa
Host: test


This allows a malicious site to cause the user's browser to attack
other sites that are virtual servers on the same IP address (eg. via
SQL injection or cross-site scripting). Potentially any header can be
injected. If the user is accessing the web via a proxy then potentially
any site can be attacked.


14/06/2007	Apple informed of the vulnerability
22/06/2007	Patch released
25/06/2007	Confirmed that the fix addresses the issue
25/06/2007	Westpoint advisory release

Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH