Professional Webmasters Community
Would you like to react to this message? Create an account in a few clicks or log in to continue.
Professional Webmasters Community

your are free to explore your reviews, thoughts, suggestion and guidelines on every online tech talk.


Apple's Safari 4 fixes local file theft attack

Professional Webmasters Community :: Webmaster Speak :: Tech Talk

Go down

Apple's Safari 4 fixes local file theft attack Empty Apple's Safari 4 fixes local file theft attack

Post  andry Fri Oct 15, 2010 12:54 am

Safari 4 was just released and among the various improvements is a range of security fixes. One of these fixes is for an XXE attack against the parsing of the XSL XML. Full technical details may be found here:

http://scary.beasts.org/security/CESA-2009-006.html

Or for the lazy, you can skip straight to the:

Demo for Safari 3 / MacOS
Demo for Safari 3 / Windows

I found it interesting that Safari 3 seemed robust against XXE attacks in general -- there are a lot of places that browsers find themselves parsing XML (XmlHttpRequest, prettifying XML mime type documents, SVG, E4X, etc.) However, the relatively obscure area of the XSL XML succumbed to an XXE attack.

(Note: awareness of XXE attacks remains low despite the issue being documented since at least 2002).
andry
andry
Moderator
Moderator

Posts : 467
Join date : 2010-05-07

Back to top Go down

Back to top

- Similar topics

Professional Webmasters Community :: Webmaster Speak :: Tech Talk

 
Permissions in this forum:
You cannot reply to topics in this forum