Mac OS X Syndication RSS Feed XSS

2006-02-28T06:02:40
ID OSVDB:23649
Type osvdb
Reporter OSVDB
Modified 2006-02-28T06:02:40

Description

Vulnerability Description

Mac OS X contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application may allow Javascript embedded in an RSS feed to run in the context of the RSS reader document. This could allow a user to create a specially crafted RSS feed that would execute arbitrary code by circumventing Safari's security model, leading to a loss of integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch (2006-001) to address this vulnerability.

Short Description

Mac OS X contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application may allow Javascript embedded in an RSS feed to run in the context of the RSS reader document. This could allow a user to create a specially crafted RSS feed that would execute arbitrary code by circumventing Safari's security model, leading to a loss of integrity.

References:

Vendor Specific Advisory URL Secunia Advisory ID:19064 Related OSVDB ID: 23637 Related OSVDB ID: 23639 Related OSVDB ID: 23646 Related OSVDB ID: 23636 Related OSVDB ID: 23640 Related OSVDB ID: 23641 Related OSVDB ID: 23642 Related OSVDB ID: 23643 Related OSVDB ID: 23648 Related OSVDB ID: 23638 Related OSVDB ID: 23644 Related OSVDB ID: 23645 Related OSVDB ID: 23647 News Article: http://www.informationweek.com/news/showArticle.jhtml;?articleID=181500394 FrSIRT Advisory: ADV-2006-0791 CVE-2006-0389 Bugtraq ID: 16907