Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Safari XMLHttpRequest HTTP header injection
From: Richard Moore <rich () westpoint ltd uk>
Date: Mon, 25 Jun 2007 12:03:18 +0100

Westpoint Security Advisory

Title:        Safari XMLHttpRequest HTTP header injection
Risk Rating:  Low
Platforms:    MacOS and Windows
Author:       Richard Moore <rich () westpoint ltd uk>
Date:         25 June 2007
Advisory ID#: wp-07-0002
URL:          http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt
CVE:          CVE-2007-2401


The XMLHttpRequest object is intended to enforce a same-origin
security policy, and to prevent the injection of HTTP headers that
can be used maliciously. Unpatched releases of Safari on both Windows
and MacOS X allow JavaScript to bypass these restrictions. It is
possible to insert arbitrary HTTP headers into the request, including
the Host header.

Apple has released APPLE-SA-2007-06-22 Security Update 2007-006, and
APPLE-SA-2007-06-22 Safari 3 Beta Update 3.0.2 which address this


It is possible to bypass the security restrictions of the XMLHttpRequest
setRequestHeader function to include arbitrary headers by specifying
values containing newline characters. For example, a request such as
this is treated as valid:

xmlhttp.setRequestHeader('Foo', 'baa\nHost: test\n');

and results in:

GET / HTTP/1.1
Accept-Encoding: gzip, deflate
Accept-Language: en
Foo: baa
Host: test


This allows a malicious site to cause the user's browser to attack
other sites that are virtual servers on the same IP address (eg. via
SQL injection or cross-site scripting). Potentially any header can be
injected. If the user is accessing the web via a proxy then potentially
any site can be attacked.


14/06/2007      Apple informed of the vulnerability
22/06/2007      Patch released
25/06/2007      Confirmed that the fix addresses the issue
25/06/2007      Westpoint advisory release

Richard Moore, Principal Software Engineer,
Westpoint Ltd,
Albion Wharf, 19 Albion Street, Manchester, M1 5LN, England
Tel: +44 161 237 1028
Fax: +44 161 237 1031

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Safari XMLHttpRequest HTTP header injection Richard Moore (Jun 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]