SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Apple Safari Vendors:   Apple
Apple Safari Bugs Let Remote Users Spoof the URL Address Bar, Bypass Cookie Restrictions, and Obtain Authentication Information
SecurityTracker Alert ID:  1026785
SecurityTracker URL:  http://securitytracker.com/id/1026785
CVE Reference:   CVE-2012-0584, CVE-2012-0640, CVE-2012-0647   (Links to External Site)
Date:  Mar 12 2012
Impact:   Disclosure of authentication information, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 5.1.4
Description:   Several vulnerabilities were reported in Apple Safari. A remote user can spoof URLs. A remote user can bypass cookie restrictions. A remote user can obtain HTTP authentication credentials.

A remote user can create a specially crafted URL containing International Domain Name (IDN) characters to load a spoofed site that appears to have an arbitrary URL in the address bar [CVE-2012-0584]. Only Windows-based systems are affected. Matt Cooley of Symantec reported this vulnerability.

A remote 3rd-party web site can set a cookie even if the browser is configured to block 3rd-party cookies [CVE-2012-0640]. nshah reported this vulnerability.

When a remote site uses HTTP authentication and redirects to another site, the HTTP authentication credentials may be sent to the other site [CVE-2012-0647]. An anonymous researcher reported this vulnerability.

Impact:   A remote user can spoof URLs.

A remote user can bypass cookie restrictions.

A remote user can obtain HTTP authentication credentials in certain cases.

Solution:   The vendor has issued a fix (5.1.4).

The vendor's advisory will be available at:

http://support.apple.com/kb/HT1222

Vendor URL:  support.apple.com/kb/HT1222 (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (macOS/OS X), Windows (7), Windows (Vista), Windows (XP)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC