WebKit Preflight请求同源策略绕过漏洞

2009-11-16T00:00:00
ID SSV:12644
Type seebug
Reporter Root
Modified 2009-11-16T00:00:00

Description

Bugraq ID: 36997 CVE ID:CVE-2009-2816

WebKit是一款开放源代码的web浏览器引擎。 WebKit存在同源策略绕过问题,远程攻击者可以利用漏洞访问其他域中的资源。 WebKit的跨源资源共享实现存在安全问题,在允许某源的页面访问其他源中的资源前,WebKit会发送preflight请求给后者的服务器以访问资源。在preflight请求中WebKit包含由请求页面指定的定制HTTP头字段,这可导致跨站请求伪造攻击。

WebKit Open Source Project WebKit 0 Apple Safari For Windows 3.2.1 Apple Safari 4.0.3 for Windows Apple Safari 4.0.3 Apple Safari 4.0.2 for Windows Apple Safari 4.0.2 Apple Safari 4.0.1 Apple Safari 3.2.3 for Windows Apple Safari 3.2.3 Apple Safari 3.2.2 for Windows Apple Safari 3.1.2 for Windows Apple Safari 3.1.2 Apple Safari 3.1.1 for Windows Apple Safari 3.1.1 Apple Safari 3.0.4 Beta for Windows Apple Safari 3.0.3 Apple Safari 3.0.3 Apple Safari 3.0.2 Beta for Windows Apple Safari 3.0.2 Beta Apple Safari 3.0.1 Beta for Windows Apple Safari 3.0.1 Beta Apple Safari 4 for Windows Apple Safari 4 Beta Apple Safari 4 Beta Apple Safari 4 Apple Safari 3.2 Apple Safari 3.1 for Windows Apple Safari 3.1 Apple Safari 3 Beta for Windows Apple Safari 3 Beta 厂商解决方案 用户可参考如下Apple供应商提供的解决方案: Apple Safari 4.0.3 for Windows Apple APPLE-SA-2009-11-11-1 SafariQuickTimeSetup.exe Safari+QuickTime for Windows 7, Vista or XP http://www.apple.com/safari/download/ Apple APPLE-SA-2009-11-11-1 SafariSetup.exe Safari for Windows 7, Vista or XP http://www.apple.com/safari/download/ Apple Safari 4.0.3 Apple Safari4.0.4Leopard.dmg Safari for Mac OS X v10.5.7 http://www.apple.com/safari/download/ Apple Safari4.0.4SnowLeopard.dmg Safari for Mac OS X v10.6.1 and v10.6.2 http://www.apple.com/safari/download/ Apple Safari4.0.4Tiger.dmg Safari for Mac OS X v10.4.11 http://www.apple.com/safari/download/