gkontoletas
trouble in my brain
- Μηνύματα
- 16.841
- Reaction score
- 2.192
[MajorSecurity-SA-2012-014]Apple Safari on iOS 5.1 - Adressbar spoofing vulnerability
Details
=============
Product: Apple Mobile Safari on iOS 5.1
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.apple.com/
Advisory-Status: published
Credits
=============
Discovered by: David Vieira-Kurz of MajorSecurity
Affected Products
=============
Apple Mobile Safari on iOS 5.1
Prior versions may also be affected
The affected version produced following user-agent header
==========================
Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3
Testing environment
==========================
The proof of concept has been tested on an iPhone4, iPhone4S, iPad2 and iPad3 running iOS 5.1
Description
=============
"Mobile Safari is web browser for Apple's iOS."
More Details
=============
David Vieira-Kurz has discovered some vulnerabilities in Apple Mobile Safari based on AppleWebkit/534.46 running on iOS 5.1.
The weakness is caused due to an error within the handling of URLs when using javascript's window.open() method.
This can be exploited to potentially trick users into supplying sensitive information to a malicious web site,
because information displayed in the address bar can be constructed in a certain way,
which may lead users to believe that they're visiting another web site than the displayed web site.
Steps to reproduce
=============
1) Visit http://majorsecurity.net/html5/ios51-demo.html with Safari on iOS 5.1
2) click the "demo" button
3) Safari will open a new window with "http://www.apple.com" in the adress bar,
but in fact "http://www.apple.com" is being displayed inside an iframe within
the host http://www.majorsecurity.net
4) Safari's adress bar is showing "http://www.apple.com" which makes the user believe he/she is currently
visiting Apple.com while he's still on the attacker's website .
Proof of Concept
=============
A proof-of-concept code is available here:
http://majorsecurity.net/html5/ios51-demo.html
Solution
=============
Users should upgrade to a newer version as far as the vendor has supplied a patch.
http://www.majorsecurity.net/safari-514-ios51-advisory.php
Details
=============
Product: Apple Mobile Safari on iOS 5.1
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.apple.com/
Advisory-Status: published
Credits
=============
Discovered by: David Vieira-Kurz of MajorSecurity
Affected Products
=============
Apple Mobile Safari on iOS 5.1
Prior versions may also be affected
The affected version produced following user-agent header
==========================
Mozilla/5.0 (iPhone; CPU iPhone OS 5_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B176 Safari/7534.48.3
Testing environment
==========================
The proof of concept has been tested on an iPhone4, iPhone4S, iPad2 and iPad3 running iOS 5.1
Description
=============
"Mobile Safari is web browser for Apple's iOS."
More Details
=============
David Vieira-Kurz has discovered some vulnerabilities in Apple Mobile Safari based on AppleWebkit/534.46 running on iOS 5.1.
The weakness is caused due to an error within the handling of URLs when using javascript's window.open() method.
This can be exploited to potentially trick users into supplying sensitive information to a malicious web site,
because information displayed in the address bar can be constructed in a certain way,
which may lead users to believe that they're visiting another web site than the displayed web site.
Steps to reproduce
=============
1) Visit http://majorsecurity.net/html5/ios51-demo.html with Safari on iOS 5.1
2) click the "demo" button
3) Safari will open a new window with "http://www.apple.com" in the adress bar,
but in fact "http://www.apple.com" is being displayed inside an iframe within
the host http://www.majorsecurity.net
4) Safari's adress bar is showing "http://www.apple.com" which makes the user believe he/she is currently
visiting Apple.com while he's still on the attacker's website .
Proof of Concept
=============
A proof-of-concept code is available here:
http://majorsecurity.net/html5/ios51-demo.html
Solution
=============
Users should upgrade to a newer version as far as the vendor has supplied a patch.
http://www.majorsecurity.net/safari-514-ios51-advisory.php
