-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The full, up-to-date, text of this advisory is located at: 
<http://remahl.se/david/vuln/001/>.

Title: AppleWebKit XMLHttpRequest arbitrary file disclosure 
vulnerability
Date of discovery: 2005-02-13
Date of publication: 2005-04-16
Discovered by: David Remahl (david@remahl.se)
Impact: arbitrary file disclosure, origin validation error
CVE: CAN-2005-0976

AFFECTED PRODUCTS

Verified vulnerable
     Apple Safari 1.2+
     Apple Safari RSS 2.0, pre-release
     OmniGroup OmniWeb 5.1+
     Shiira 0.93 does not support automatic disk image mounting but is 
vulnerable to other ways of predicting file paths.
     Other applications that use recent versions of WebCore/WebKit and 
allow JavaScript and the file: protocol

Possibly / partially vulnerable
     Other applications that utilize KHTML

Verified not vulnerable
     Mozilla Firefox 1.0
     Konqueror 3.3 [prevents the redirection to the local file but 
allows local files the same access to XMLHttpRequest as Safari and 
OmniWeb
     Don't support XMLHttpRequest:
         Apple Safari <1.2
         OmniGroup OmniWeb 5.0.x
         Freeverse BumperCar 1.0

INTRODUCTION

XMLHttpRequest is a JavaScript component that allows scripts to perform 
  http queries and read their result.

The attack described herein requires that the attacker has the ability 
to  place an HTML file on the victim's system and predict its path. By 
exploiting  AppleWebKit's special treatment of XMLHttpRequest when 
running from a file:  document, the attacker can gain read access to 
any file on the system with  a known path that the user running the 
browser has access to.

The automatic mounting of disk images performed by default by Safari 
and  OmniWeb provides the attacker with an easy way to get the local 
file onto  the user's system. Other approaches exist, such as 
predicting the path to the user's download directory,  using an afp:// 
or ftp:// URL to mount a remote unit and access it using 
file:///Volumes/resource/.

IMPACT

This vulnerability allows a remote attacker to read files with known 
path  names on a user's system. The vulnerability also allows the 
attacker to  bypass the restriction that XMLHttpRequests may only be 
made to the  server hosting the original document.

There is a potential for other types of disclosure due to the 
attacker's  opportunity to run any code from a local file.

The impact of this vulnerability is diminished but not eliminated if  
the automatic mounting of disk images and remote volumes is disabled.

DEMONSTRATION

A benign demonstration of the vulnerability is provided at the 
following  URL:

     http://remahl.se/david/vuln/001/demo.html

The demonstration downloads and mounts a disk image when a link is 
clicked.  It then redirects an iframe to the predicted  path of the 
exploit document. The document is also available over http for 
completeness. A real  attacker would be able to make the attack a lot 
more stealthy.

Alternative possibilities of getting a file with a know path onto the 
victim's  system are discussed on the in-depth discussion page.

VENDOR RESPONSE

OmniGroup
     2005-02-13, 19:34 UTC: Working on a fix.
     According to CERT (2005-03-17), OmniGroup plans to release a fix 
around mid-April.

Apple Computer
     2005-02-14, 06:25 UTC: Responded that investigation is under-way.  
Does not disclose, discuss or confirm issues until a full  
investigation has been completed and patches are available.
     2005-03-16, 22:04 UTC: Reported that the issue would be fixed in  a 
future security update.
     2005-03-17: Confirmed that the issue would be fixed in the May  
security update (2005-005).
     2005-04-15, 00:41 UTC: Reported that the issue is addressed in  the 
10.3.9 update  that was due to be released in two hours.

SOLUTION

For Safari, update to 10.3.9 using software update. See 
<http://docs.info.apple.com/article.html?artnum=300966> and 
<http://docs.info.apple.com/article.html?artnum=301327> for more 
information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCYK2tFlFiDoclYIURAv6AAJ4zLpIgrhFiFbNhtkOaiH9ymZlbvwCeOZ48
5SgrLN/0DSMcPxLsRvebdXY=
=pSXC
-----END PGP SIGNATURE-----