Full Disclosure: Apple Safari: cookie stealing

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Apple Safari: cookie stealing

From: Robert Swiecki <jagger () swiecki net>
Date: Wed, 13 Jun 2007 12:34:42 +0200


There is a vulnerability in Apple Safari, that allows an attacker to
steal a cookie belonging to the arbitrary domain or/and fill the browser
window with an arbitrary content, whereas the url bar and the browser's
window title is derived from the selected domain.

The flaw exists in the javascript's window.setTimeout() implementation.
The content of the timer-triggered function is processed after
window.location property is changed.

Tested with Apple Safari 3.0 (522.11.3) on MS Windows 2003 SE SP2

http://alt.swiecki.net/safc.html

-- 
Robert Swiecki
http://www.swiecki.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Apple Safari: cookie stealing Robert Swiecki (Jun 13)
- Re: Apple Safari: cookie stealing Michal Zalewski (Jun 13)
- Re: Apple Safari: urlbar/window title spoofing Robert Swiecki (Jun 14)
  - Re: Apple Safari: urlbar/window title spoofing Mark Senior (Jun 15)
  - Re: Apple Safari: idn urlbar spoofing Robert Swiecki (Jun 25)
    - Re: Apple Safari: idn urlbar spoofing Larry Seltzer (Jun 25)