Westpoint Security Advisory

Title:        Safari XMLHttpRequest HTTP header injection
Risk Rating:  Low
Platforms:    MacOS and Windows
Author:       Richard Moore <rich@westpoint.ltd.uk>
Date:         25 June 2007
Advisory ID#: wp-07-0002
URL:          http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt
CVE:          CVE-2007-2401


The XMLHttpRequest object is intended to enforce a same-origin security policy,
and to prevent the injection of HTTP headers that can be used maliciously.
Unpatched releases of Safari on both Windows and MacOS X allow JavaScript to
bypass these restrictions. It is possible to insert arbitrary HTTP headers into
the request, including the Host header.

Apple has released APPLE-SA-2007-06-22 Security Update 2007-006, and
APPLE-SA-2007-06-22 Safari 3 Beta Update 3.0.2 which address this issue.


It is possible to bypass the security restrictions of the XMLHttpRequest
setRequestHeader function to include arbitrary headers by specifying values
containing newline characters. For example, a request such as this is treated
as valid:

xmlhttp.setRequestHeader('Foo', 'baa\nHost: test\n');

and results in:

GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Accept-Language: en
Foo: baa
Host: test


This allows a malicious site to cause the user's browser to attack other sites
that are virtual servers on the same IP address (eg. via SQL injection or
cross-site scripting). Potentially any header can be injected. If the user is
accessing the web via a proxy then potentially any site can be attacked.


14/06/2007	Apple informed of the vulnerability
22/06/2007	Patch released
25/06/2007	Confirmed that the fix addresses the issue
25/06/2007	Westpoint advisory release

Designed & Built by e3creative