Bug 14081 - Safari for Windows, 0day URL protocol handler command injection
Summary: Safari for Windows, 0day URL protocol handler command injection
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: Platform (show other bugs)
Version: 523.x (Safari 3)
Hardware: PC Windows XP
: P2 Critical
Assignee: Nobody
URL: http://larholm.com/2007/06/12/safari-...
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2007-06-11 19:01 PDT by Thor Larholm
Modified: 2007-06-14 11:30 PDT (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thor Larholm 2007-06-11 19:01:17 PDT
There is a URL protocol handler command injection vulnerability in Safari for Windows that allows you to execute shell commands with arbitrary arguments. This vulnerability can be triggered without user interaction simply by visiting a webpage. The full advisory and a working Proof of Concept exploit can be found at the above URL.

I'm guessing that Webkit might be affected as well.
Comment 1 Brady Eidson 2007-06-12 00:27:20 PDT
<rdar://problem/5264427>
Comment 2 Thor Larholm 2007-06-13 15:11:08 PDT
(In reply to comment #1)
> <rdar://problem/5264427>
> 

Is that some sort of bug or patch identifier?

I never got a reply from product-security@apple.com and the first non-automated action I saw in here was someone from 'gentlyusedunderwear.com' being added on CC.
Comment 3 David Kilzer (:ddkilzer) 2007-06-13 17:32:41 PDT
(In reply to comment #2)
> (In reply to comment #1)
> > <rdar://problem/5264427>
> 
> Is that some sort of bug or patch identifier?

This means a bug was created in Apple's internal bug database for this bug.

> I never got a reply from product-security@apple.com and the first non-automated
> action I saw in here was someone from 'gentlyusedunderwear.com' being added on
> CC.

This bug database is open to anyone who creates an account, so anyone may add themselves to the bug to track it.

Comment 4 Thor Larholm 2007-06-14 05:33:38 PDT
Well 'gentlyusedunderwear' seems to be a regular in here, it's just not the first thing I expected to see on a security report ;)

I can see that Apple has fixed this vulnerability in Safari, see http://lists.apple.com/archives/Security-announce/2007/Jun/msg00000.html

Can any of you at least confirm or deny whether this vulnerability is present in WebKit? The bug report is still at UNCONFIRMED.
Comment 5 Brady Eidson 2007-06-14 11:20:44 PDT
Thanks very much for reporting this bug!

We commonly track important bugs in both Bugzilla and Radar, which is Apple's internal bug tracking system.  You can see that pattern on the Bugzilla quite often.

In this case, the bug turned out to be a Safari bug and not a WebKit bug.  

Bugs you're sure belong to Safari can be submitted at http://bugreport.apple.com
If you don't have an ADC membership, you can get a free one following the link on that page.

Closing as invalid, since that is our standard procedure for WebKit bugs that end up being Safari bugs instead.

Again, thanks for the report!
Comment 6 Mark Rowe (bdash) 2007-06-14 11:30:17 PDT
And as always, security-related bug reports on Apple products should also be provided to product-security@apple.com.