Comments on: Safari 3.2.2 Feed Protocol Handler Issues http://xs-sniper.com/blog/2009/06/09/safari-322-feed-protocol-handler-issues/ Thoughts on Security in an Uncivilized World… Wed, 08 Sep 2010 02:39:08 -0700 hourly 1 http://wordpress.org/?v=3.0.1 By: Ur Face http://xs-sniper.com/blog/2009/06/09/safari-322-feed-protocol-handler-issues/comment-page-1/#comment-837 Ur Face Sat, 17 Oct 2009 01:28:51 +0000 http://xs-sniper.com/blog/?p=265#comment-837 Dude, Safari sucks. IE is the shite!!!!! GO IE! Plus, Apple is about to be the most pwnd OS per capita. Dude, Safari sucks. IE is the shite!!!!!

GO IE!

Plus, Apple is about to be the most pwnd OS per capita.

]]> By: Security: Script Injection in Safari 3.2.2 « Nitin Katkam http://xs-sniper.com/blog/2009/06/09/safari-322-feed-protocol-handler-issues/comment-page-1/#comment-831 Security: Script Injection in Safari 3.2.2 « Nitin Katkam Mon, 21 Sep 2009 16:47:40 +0000 http://xs-sniper.com/blog/?p=265#comment-831 [...] A blog post from a couple of months ago by Billy Rios mentions about a security bug affecting Safari 3.2.2. Although Safari checks content for the presence of SCRIPT tags within the markup, they somehow forgot to do that for the summary attribute of a feed. As scripts present within the content of a document with a feed URI scheme run with elevated privileges, it is possible to inject a script that can retrieve a document stored on the user’s hard drive and upload it to a web server. For a code snippet of how this can be performed, go to the blog article by Billy Rios. [...] [...] A blog post from a couple of months ago by Billy Rios mentions about a security bug affecting Safari 3.2.2. Although Safari checks content for the presence of SCRIPT tags within the markup, they somehow forgot to do that for the summary attribute of a feed. As scripts present within the content of a document with a feed URI scheme run with elevated privileges, it is possible to inject a script that can retrieve a document stored on the user’s hard drive and upload it to a web server. For a code snippet of how this can be performed, go to the blog article by Billy Rios. [...]

]]> By: Brian Mastenbrook http://xs-sniper.com/blog/2009/06/09/safari-322-feed-protocol-handler-issues/comment-page-1/#comment-805 Brian Mastenbrook Thu, 02 Jul 2009 17:48:15 +0000 http://xs-sniper.com/blog/?p=265#comment-805 I couldn't find an obvious contact email on your site, but I thought I'd drop you a line in a comment to provide a little more information about an issue that Apple fixed in the 2009-001 update, in case you're interested. The issue I reported was mentioned as part of the same advisory as the one you wrote about in "Stealing More Files with Safari", and the impact was the same, but the mechanism I used was a little different. Prior to the 2009-001 update, Safari rendered any content returned with a 404 or other error-status page in a feed:// handler as if it was in the local content zone. I'm not surprised that a slight variant of the original issue remained unfixed, either. I think I'm on round 4 of trying to fix 'help:' URL vulnerabilities in OS X with them. It's become very clear that their approach to security is driven by "image management" much more so than any sort of thorough procedure. I couldn’t find an obvious contact email on your site, but I thought I’d drop you a line in a comment to provide a little more information about an issue that Apple fixed in the 2009-001 update, in case you’re interested. The issue I reported was mentioned as part of the same advisory as the one you wrote about in “Stealing More Files with Safari”, and the impact was the same, but the mechanism I used was a little different. Prior to the 2009-001 update, Safari rendered any content returned with a 404 or other error-status page in a feed:// handler as if it was in the local content zone.

I’m not surprised that a slight variant of the original issue remained unfixed, either. I think I’m on round 4 of trying to fix ‘help:’ URL vulnerabilities in OS X with them. It’s become very clear that their approach to security is driven by “image management” much more so than any sort of thorough procedure.

]]> By: Lowan http://xs-sniper.com/blog/2009/06/09/safari-322-feed-protocol-handler-issues/comment-page-1/#comment-804 Lowan Thu, 02 Jul 2009 07:30:20 +0000 http://xs-sniper.com/blog/?p=265#comment-804 Same on mshtml :). You can see it by example with RssReader who display your alert =). L. Same on mshtml :) .
You can see it by example with RssReader who display your alert =).

L.

]]>