This article translated from:
Translator: Holic (know Chong Yu 404 security lab)
Translator's note: as the translation date, the Japanese version and updated some content, this article is based on the English version of the original translation, part of the increase in the content of the turn from the Japanese original Edition.
The present article share the Safari UXSS Vulnerability, CVE-2016-4758 about the details of the vulnerability in Safari 10 to be repaired.
Official link: https://support.apple.com/en-us/HT207157
> WebKit Available for: OS X Yosemite v10. 10. 5, OS X Yosemite v10. 11. 6, and macOS Sierra 10.12 Impact: Visiting a maliciously crafted website may leak sensitive data Description: A permissions issue existed in the handling of the location variable. This was addressed though the additional ownership checks. CVE-2016-4758: Masato Kinugawa of Cure53
Vulnerability conditions for reference, the mobile version of Safari is not affected by the vulnerabilities, because there is no
showModalDialogmethod. IE showModalDialog possible to use the XSS protection mechanism, related to the content you can refer to the following link: http://masatokinugawa.l0.cm/2015/06/xss6.html
Original author's note:
> By the way,on finishing a blog surrounding the behavior, noticed a more serious problem, the following started to write is this”serious problem“
window. open("/","_blank", a) 2. Jump on page load after
The original author set up a test page: https://vulnerabledoma.in/safari_uxss_showModalDialog/target.html
the showModalDialogmethod. The following page in the modal dialog（mode window opens.
However in Safari but not the same. Safari unexpectedly jump to the https://l0.cm/index.html page to go to. Obviously Safari to be confused with the parent window and the modal window base address.
In this case, the relative URL contains the private information case, you can use independent pages to obtain private information.
xhr. open("GET",[URL]) use the correct URL.）
According to html5sec. org#42, Safari allows
My conjecture was confirmed. The following is the final PoC of:
The original authors 2015 June 15 report of this vulnerability, before this bug has been in WebKit in there for over a year.