Sign-up

ID

VAR-200706-0347


CVE

CVE-2007-2399


TITLE

Apple Safari cross-domain HTTP redirection race condition

Trust: 0.8

sources: CERT/CC: VU#289988

DESCRIPTION

WebKit in Apple Mac OS X 10.3.9, 10.4.9 and later, and iPhone before 1.0.1 performs an "invalid type conversion", which allows remote attackers to execute arbitrary code via unspecified frame sets that trigger memory corruption. Apple Safari contains a race condition when handling HTTP redirection when updating pages. This can allow a cross-domain violation. Apple WebCore fails to properly serialize headers into an HTTP request, which can cause a cross-domain security violation. An attacker may exploit this issue by enticing victims into opening a maliciously crafted HTML document. The iPhone is a smartphone developed by Capsule Corporation. There are multiple security holes in the implementation of the iPhone, which can lead to malicious operation of the browser or information leakage. The specific vulnerability entries are as follows: * CVE-2007-2399 WebKit software package has a vulnerability in processing invalid type conversion when generating web pages. ---------------------------------------------------------------------- BETA test the new Secunia Personal Software Inspector! The Secunia PSI detects installed software on your computer and categorises it as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors. Download the free PSI BETA from the Secunia website: https://psi.secunia.com/ ---------------------------------------------------------------------- TITLE: Apple iPhone Multiple Vulnerabilities SECUNIA ADVISORY ID: SA26287 VERIFY ADVISORY: http://secunia.com/advisories/26287/ CRITICAL: Highly critical IMPACT: Cross Site Scripting, Spoofing, DoS, System access WHERE: >From remote OPERATING SYSTEM: Apple iPhone 1.x http://secunia.com/product/15128/ DESCRIPTION: Some vulnerabilities have been reported in Apple iPhone, which can be exploited by malicious people to conduct cross-site scripting and spoofing attacks, and potentially to compromise a vulnerable system. 2) A boundary error in the Perl Compatible Regular Expressions (PCRE) library used by the Javascript engine in Safari can be exploited to cause a heap-based buffer overflow when a user visits a malicious web page. 3) An HTTP injection issue in XMLHttpRequest can be exploited to inject arbitrary HTTP requests. For more information see vulnerability #2 in: SA25786 4) An error in WebKit within in the handling of International Domain Name (IDN) support and Unicode fonts embedded in Safari can be exploited to spoof a URL by registering domain names with certain international characters that resembles other commonly used characters. For more information see vulnerability #1 in: SA25786 SOLUTION: Update to version 1.0.1 (downloadable and installable via iTunes). PROVIDED AND/OR DISCOVERED BY: 1) The vendor credits Lawrence Lai, Stan Switzer, and Ed Rowe of Adobe Systems, Inc. 2) The vendor credits Charlie Miller and Jake Honoroff of Independent Security Evaluators. 3) The vendor credits Richard Moore, Westpoint Ltd. 5) The vendor credits Rhys Kidd, Westnet. ORIGINAL ADVISORY: http://docs.info.apple.com/article.html?artnum=306173 OTHER REFERENCES: SA25786: http://secunia.com/advisories/25786/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 4.23

sources: NVD: CVE-2007-2399 // CERT/CC: VU#289988 // CERT/CC: VU#845708 // CERT/CC: VU#389868 // JVNDB: JVNDB-2007-001941 // BID: 24597 // VULHUB: VHN-25761 // PACKETSTORM: 58223

AFFECTED PRODUCTS

vendor:apple computermodel: - scope: - version: -

Trust: 2.4

vendor:applemodel:mac os xscope:eqversion:10.3.9

Trust: 1.8

vendor:applemodel:mac os x serverscope:eqversion:10.4.9

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.4.9

Trust: 1.0

vendor:applemodel:mac os x serverscope:eqversion:10.3.9

Trust: 1.0

vendor:applemodel:mac os xscope:eqversion:10.4.9 and later

Trust: 0.8

vendor:applemodel:iphonescope:ltversion:1.0.1

Trust: 0.8

vendor:applemodel:iphonescope:eqversion:1.0

Trust: 0.6

vendor:webkitmodel:open source project webkitscope:eqversion:0

Trust: 0.3

vendor:applemodel:safari beta for windowsscope:eqversion:3.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.4

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:2.0.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.3.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.2.3

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.2.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.2.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.2

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.1

Trust: 0.3

vendor:applemodel:safariscope:eqversion:1.0

Trust: 0.3

vendor:applemodel:safari beta for windowsscope:eqversion:3

Trust: 0.3

vendor:applemodel:safari betascope:eqversion:3

Trust: 0.3

vendor:applemodel:mobile safariscope:eqversion:0

Trust: 0.3

vendor:applemodel:iphonescope:eqversion:1

Trust: 0.3

vendor:applemodel:safari beta for windowsscope:neversion:3.0.2

Trust: 0.3

vendor:applemodel:iphonescope:neversion:1.0.1

Trust: 0.3

sources: CERT/CC: VU#289988 // CERT/CC: VU#845708 // CERT/CC: VU#389868 // BID: 24597 // JVNDB: JVNDB-2007-001941 // CNNVD: CNNVD-200706-402 // NVD: CVE-2007-2399

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2007-2399
value: HIGH

Trust: 1.0

CARNEGIE MELLON: VU#289988
value: 0.47

Trust: 0.8

CARNEGIE MELLON: VU#845708
value: 0.57

Trust: 0.8

CARNEGIE MELLON: VU#389868
value: 2.55

Trust: 0.8

NVD: CVE-2007-2399
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200706-402
value: HIGH

Trust: 0.6

VULHUB: VHN-25761
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2007-2399
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-25761
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#289988 // CERT/CC: VU#845708 // CERT/CC: VU#389868 // VULHUB: VHN-25761 // JVNDB: JVNDB-2007-001941 // CNNVD: CNNVD-200706-402 // NVD: CVE-2007-2399

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-DesignError

Trust: 0.8

sources: JVNDB: JVNDB-2007-001941 // NVD: CVE-2007-2399

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200706-402

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-200706-402

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2007-001941

PATCH
title:APPLE-SA-2007-06-22url:http://lists.apple.com/archives/Security-announce/2007/Jun/msg00003.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2007-001941

EXTERNAL IDS
db:SECUNIAid:26287
Trust: 4.2
db:CERT/CCid:VU#389868
Trust: 3.6
db:SECUNIAid:25786
Trust: 3.3
db:NVDid:CVE-2007-2399
Trust: 2.8
db:BIDid:24597
Trust: 2.0
db:VUPENid:ADV-2007-2316
Trust: 1.7
db:VUPENid:ADV-2007-2731
Trust: 1.7
db:VUPENid:ADV-2007-2296
Trust: 1.7
db:OSVDBid:36130
Trust: 1.7
db:OSVDBid:36450
Trust: 1.7
db:SECTRACKid:1018281
Trust: 1.7
db:CERT/CCid:VU#289988
Trust: 0.8
db:CERT/CCid:VU#845708
Trust: 0.8
db:JVNDBid:JVNDB-2007-001941
Trust: 0.8
db:CNNVDid:CNNVD-200706-402
Trust: 0.7
db:VULHUBid:VHN-25761
Trust: 0.1
db:PACKETSTORMid:58223
Trust: 0.1
sources:
            
            
            CERT/CC: VU#289988 // 
            
            
            
            CERT/CC: VU#845708 // 
            
            
            
            CERT/CC: VU#389868 // 
            
            
            
            VULHUB: VHN-25761 // 
            
            
            
            BID: 24597 // 
            
            
            
            JVNDB: JVNDB-2007-001941 // 
            
            
            
            PACKETSTORM: 58223 // 
            
            
            
            CNNVD: CNNVD-200706-402 // 
            
            
            
            NVD: CVE-2007-2399

REFERENCES
url:http://docs.info.apple.com/article.html?artnum=306173
Trust: 3.4
url:http://docs.info.apple.com/article.html?artnum=305759
Trust: 3.3
url:http://www.kb.cert.org/vuls/id/389868
Trust: 2.8
url:http://secunia.com/advisories/26287/
Trust: 2.5
url:http://secunia.com/advisories/25786/
Trust: 1.7
url:http://lists.apple.com/archives/security-announce/2007/jun/msg00003.html
Trust: 1.7
url:http://www.securityfocus.com/bid/24597
Trust: 1.7
url:http://osvdb.org/36130
Trust: 1.7
url:http://osvdb.org/36450
Trust: 1.7
url:http://www.securitytracker.com/id?1018281
Trust: 1.7
url:http://secunia.com/advisories/25786
Trust: 1.7
url:http://secunia.com/advisories/26287
Trust: 1.7
url:http://www.vupen.com/english/advisories/2007/2296
Trust: 1.7
url:http://www.vupen.com/english/advisories/2007/2316
Trust: 1.7
url:http://www.vupen.com/english/advisories/2007/2731
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/35019
Trust: 1.7
url:http://developer.apple.com/opensource/internet/webkit.html
Trust: 1.6
url:http://www.apple.com/safari/download/
Trust: 1.1
url:http://www.mozilla.org/projects/security/components/same-origin.html
Trust: 0.8
url:http://docs.info.apple.com/article.html?artnum=61798
Trust: 0.8
url:http://www.cert.org/tech_tips/securing_browser/#safari
Trust: 0.8
url:http://developer.apple.com/internet/webcontent/xmlhttpreq.html
Trust: 0.8
url:http://www.westpoint.ltd.uk/advisories/wp-07-0002.txt
Trust: 0.8
url:http://webkit.opendarwin.org/
Trust: 0.8
url:http://lists.apple.com/archives/security-announce/2007/jun/msg00004.html
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-2399
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-2399
Trust: 0.8
url:http://www.apple.com/safari/
Trust: 0.3
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/product/15128/
Trust: 0.1
url:https://psi.secunia.com/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            CERT/CC: VU#289988 // 
            
            
            
            CERT/CC: VU#845708 // 
            
            
            
            CERT/CC: VU#389868 // 
            
            
            
            VULHUB: VHN-25761 // 
            
            
            
            BID: 24597 // 
            
            
            
            JVNDB: JVNDB-2007-001941 // 
            
            
            
            PACKETSTORM: 58223 // 
            
            
            
            CNNVD: CNNVD-200706-402 // 
            
            
            
            NVD: CVE-2007-2399

CREDITS
Rhys Kidd is credited with discovering this vulnerability.
Trust: 0.3
sources:
            
            
            BID: 24597

SOURCES
db:CERT/CCid:VU#289988
db:CERT/CCid:VU#845708
db:CERT/CCid:VU#389868
db:VULHUBid:VHN-25761
db:BIDid:24597
db:JVNDBid:JVNDB-2007-001941
db:PACKETSTORMid:58223
db:CNNVDid:CNNVD-200706-402
db:NVDid:CVE-2007-2399

LAST UPDATE DATE
2024-08-14T12:42:26.591000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#289988date:2007-09-21T00:00:00
db:CERT/CCid:VU#845708date:2008-09-08T00:00:00
db:CERT/CCid:VU#389868date:2008-06-04T00:00:00
db:VULHUBid:VHN-25761date:2017-07-29T00:00:00
db:BIDid:24597date:2007-08-02T00:05:00
db:JVNDBid:JVNDB-2007-001941date:2012-06-26T00:00:00
db:CNNVDid:CNNVD-200706-402date:2022-08-10T00:00:00
db:NVDid:CVE-2007-2399date:2022-08-09T13:46:58.237

SOURCES RELEASE DATE
db:CERT/CCid:VU#289988date:2007-06-25T00:00:00
db:CERT/CCid:VU#845708date:2007-06-22T00:00:00
db:CERT/CCid:VU#389868date:2007-06-22T00:00:00
db:VULHUBid:VHN-25761date:2007-06-25T00:00:00
db:BIDid:24597date:2007-06-22T00:00:00
db:JVNDBid:JVNDB-2007-001941date:2012-06-26T00:00:00
db:PACKETSTORMid:58223date:2007-08-08T04:01:26
db:CNNVDid:CNNVD-200706-402date:2007-06-25T00:00:00
db:NVDid:CVE-2007-2399date:2007-06-25T19:30:00