08.15
Summary
Safari for Windows employed unsafe content-sniffing behavior on pages
that were served up as text/plain. As a result, an attacker could
cause cross-site scripting to occur in locations that would not normally
be vulnerable. This issue was fixed in Safari 5.1. It has been assigned
the identifier CVE-2010-1420.
How Did It Work?
When web pages were served up with a text/plain content type, Safari
for Windows would determine the correct content handler by looking at
their file extension. For instance, a text/plain document located at
http://example.com/file.html would be parsed as HTML rather than
rendered as text. In most other browsers, a text/plain content type
precludes the content from ever being handled as HTML (IE being the exception).
Of course, that behavior is not very interesting by itself. Most URIs
that serve up content as text/plain don’t also have HTML file
extensions. However, in certain cases it’s possible to append data to
the path portion of the URI without changing how the request is routed.
In those cases it was possible to exploit this content-sniffing behavior
by appending a filename with an HTML extension. It was also possible to
cause cross-site scripting when user-controlled content was served up in
this way.
The simplest example is PHP’s support for PATH_INFO. By default,
most PHP installations allow arbitrary data to be appended to the path
portion of the URI; the portion of the path after the file itself is
stored in $_SERVER['PATH_INFO']. So, just about any PHP script that
serves up content as text/plain could also be used to exploit this vulnerability.
I set up a script, located at http://sandboxing.me/poc/b82553b2869b7fa80766ec55073e998a.php, as a demonstration. The code is as follows:
1 2 3 4 5 6 7 8 9 10 | <?php header('Content-type: text/plain'); ?>
<?php header('X-Content-Type-Options: nosniff'); ?>
<html>
<head>
<title>Test</title>
</head>
<body>
<script>alert(1);</script>
</body>
</html>
|
I included the X-Content-Type-Options header for completeness, since it’s used by IE to override similar insecure content-sniffing behavior. As expected, Safari for Windows ignored the header.
To use the script for testing, I simply appended a forward slash to the URL, followed by a filename. Safari used the newly provided extension to determine how the file contents were parsed. Some examples:
- HTML:
- http://sandboxing.me/poc/b82553b2869b7fa80766ec55073e998a.php/test.htm
- http://sandboxing.me/poc/b82553b2869b7fa80766ec55073e998a.php/test.html
- http://sandboxing.me/poc/b82553b2869b7fa80766ec55073e998a.php/test.shtml
- SWF:
- http://sandboxing.me/poc/b82553b2869b7fa80766ec55073e998a.php/test.swf
- PDF:
- http://sandboxing.me/poc/b82553b2869b7fa80766ec55073e998a.php/test.pdf
- EXE:
- http://sandboxing.me/poc/b82553b2869b7fa80766ec55073e998a.php/test.exe
- XML:
- http://sandboxing.me/poc/b82553b2869b7fa80766ec55073e998a.php/test.xml
- http://sandboxing.me/poc/b82553b2869b7fa80766ec55073e998a.php/test.xhtml
What about OS X?
Safari for OS X did not exhibit the same behavior: in fact, it appears that similar behavior was patched in 10.4.4 (see http://www.mnot.net/blog/2006/01/11/safari_content_sniffing).
Example Vulnerability
Bug 637981, which was recently patched in Bugzilla, relies upon this
content sniffing behavior. Raw user-supplied content (in the form of an
attached patch file) was being served as text/plain from the main
Bugzilla domain. By uploading a malicious patch file, it was possible to
cause Safari (and IE) to execute arbitrary Javascript.
Conclusion
I would like to thank Apple Product Security for handling my report and keeping me in the loop as the issue was patched. I also want to acknowledge Hidetake Jo, who discovered this vulnerability independently.