Bug 14081

Summary:	Safari for Windows, 0day URL protocol handler command injection
Product:	WebKit	Reporter:	Thor Larholm <bugs.webkit.org>
Component:	Platform	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED INVALID
Severity:	Critical	CC:	bugs-webkit, mrowe, webkit-bugs
Priority:	P2	Keywords:	InRadar
Version:	523.x (Safari 3)
Hardware:	PC
OS:	Windows XP
URL:	http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/

Thor Larholm

Reported 2007-06-11 19:01:17 PDT

There is a URL protocol handler command injection vulnerability in Safari for Windows that allows you to execute shell commands with arbitrary arguments. This vulnerability can be triggered without user interaction simply by visiting a webpage. The full advisory and a working Proof of Concept exploit can be found at the above URL. I'm guessing that Webkit might be affected as well.

Attachments
Add attachment proposed patch, testcase, etc.

Brady Eidson

Comment 1 2007-06-12 00:27:20 PDT

<rdar://problem/5264427>

Thor Larholm

Comment 2 2007-06-13 15:11:08 PDT

(In reply to comment #1) > <rdar://problem/5264427> > Is that some sort of bug or patch identifier? I never got a reply from product-security@apple.com and the first non-automated action I saw in here was someone from 'gentlyusedunderwear.com' being added on CC.

David Kilzer (:ddkilzer)

Comment 3 2007-06-13 17:32:41 PDT

(In reply to comment #2) > (In reply to comment #1) > > <rdar://problem/5264427> > > Is that some sort of bug or patch identifier? This means a bug was created in Apple's internal bug database for this bug. > I never got a reply from product-security@apple.com and the first non-automated > action I saw in here was someone from 'gentlyusedunderwear.com' being added on > CC. This bug database is open to anyone who creates an account, so anyone may add themselves to the bug to track it.

Thor Larholm

Comment 4 2007-06-14 05:33:38 PDT

Well 'gentlyusedunderwear' seems to be a regular in here, it's just not the first thing I expected to see on a security report ;) I can see that Apple has fixed this vulnerability in Safari, see http://lists.apple.com/archives/Security-announce/2007/Jun/msg00000.html Can any of you at least confirm or deny whether this vulnerability is present in WebKit? The bug report is still at UNCONFIRMED.

Brady Eidson

Comment 5 2007-06-14 11:20:44 PDT

Thanks very much for reporting this bug! We commonly track important bugs in both Bugzilla and Radar, which is Apple's internal bug tracking system. You can see that pattern on the Bugzilla quite often. In this case, the bug turned out to be a Safari bug and not a WebKit bug. Bugs you're sure belong to Safari can be submitted at http://bugreport.apple.com If you don't have an ADC membership, you can get a free one following the link on that page. Closing as invalid, since that is our standard procedure for WebKit bugs that end up being Safari bugs instead. Again, thanks for the report!

Mark Rowe (bdash)

Comment 6 2007-06-14 11:30:17 PDT

And as always, security-related bug reports on Apple products should also be provided to product-security@apple.com.

Note You need to log in before you can comment on or make changes to this bug.