Apple Safari WebKit Flaw Lets Remote Users Fill Out Form Inputs on a Target Web Page for a Target User
|
|
SecurityTracker Alert ID: 1027053 |
|
SecurityTracker URL: http://securitytracker.com/id/1027053
|
|
CVE Reference:
CVE-2012-0676
(Links to External Site)
|
Date: May 10 2012
|
Impact:
Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): prior to 5.1.7
|
Description:
A vulnerability was reported in Apple Safari. A remote user can cause form inputs to be filled out on a target web page.
A remote user can create specially crafted HTML that, when loaded by the target user, will populate form inputs on a target web page with arbitrary values.
Andreas Akre Solberg of UNINETT AS, Aaron Roots of Deakin University ITSD, and Tyler Goen reported this vulnerability.
|
Impact:
A remote user can cause the target user's browser to populate form inputs on a target web page with arbitrary values.
|
Solution:
The vendor has issued a fix.
The vendor's advisory is available at:
http://support.apple.com/kb/HT1222
|
Vendor URL: support.apple.com/kb/HT1222 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
UNIX (OS X), Windows (7), Windows (Vista), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 10 May 2012 01:32:23 +0000
Subject: Apple Safari
|
Excerpt from APPLE-SA-2012-05-09-2 Safari 5.1.7
WebKit
Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8,
OS X Lion v10.7.4, OS X Lion Server v10.7.4, Windows 7, Vista,
XP SP2 or later
Impact: A maliciously crafted website may be able to populate form
inputs on another website with arbitrary values
Description: A state tracking issue existed in WebKit's handling of
forms.
CVE-ID
CVE-2012-0676 : Andreas Akre Solberg of UNINETT AS, Aaron Roots of
Deakin University ITSD, Tyler Goen
|
|
