Apple Safari fails to properly handle form data in HTTP redirects

ID VU:128414
Type cert
Reporter CERT
Modified 2004-08-16T20:34:00



There is a vulnerability in the way Safari handles form data that may expose sensitive information when the forward/backward buttons are used.


Apple Safari is a web browser available for the Mac OS X operating system. A vulnerability exists in the way Safari handles web form data. When a web form is submitted to a server using the POST method and the server returns an HTTP redirect to a GET method URL, Safari may re-POST that data to the GET method URL. It has been reported that this condition occurs when the forward/backward buttons are used. No further information was provided on this vulnerability.


A user's form data could be disclosed to a remote server.


Apple has released a patch to address this vulnerability. For further details, please see the Apple Security Advisory (Security Updates for Mac OS X 10.3.5).

Vendor Information


Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple Computer Inc. __ Affected

Updated: August 16, 2004



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


Please refer to Apple's security updates for Mac OS X 10.3.5.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
Base | |
Temporal | |
Environmental | |


  • <>
  • <>
  • <>
  • <>


This vulnerability was reported by Apple. In turn, Apple credits Rick Osterberg of Harvard University for reporting this issue.

This document was written by Damon Morda.

Other Information

CVE IDs: | CVE-2004-0743
Severity Metric: | 1.45
Date Public: | 2004-08-10
Date First Published: | 2004-08-16
Date Last Updated: | 2004-08-16 20:34 UTC
Document Revision: | 10