VAR-200706-0346
Vulnerability from variot - Updated: 2023-12-18 11:31Apple Safari 3.0.1 beta (522.12.12) on Windows allows remote attackers to modify the window title and address bar while filling the main window with arbitrary content by setting the location bar and using setTimeout() to create an event that modifies the window content, which could facilitate phishing attacks. Attackers may exploit this vulnerability via a malicious webpage to spoof the contents and origin of a page that the victim may trust. Attackers may find this issue useful in phishing or other attacks that rely on content spoofing. Safari 3.0.1 (522.12.12) on Windows 2003 SE SP2 is reported vulnerable; other versions may also be affected. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. There is a vulnerability in the implementation of Safari for Windows, and remote attackers may use this vulnerability to perform malicious operations on the user's machine. If a user is tricked into visiting content on a malicious site, an attacker can forge content on a legitimate site, steal user credentials, or perform other phishing attacks. There are vulnerabilities in Konqueror that allow an attacker to spoof the URL adddress bar.
The first example uses setInterval() call with relatively small interval value (e.g. 0) to change window.location property. A browser is entrapped within the attacking web site while the user thinks that browser actually left the page.
http://alt.swiecki.net/konq2.html
The very similar problem affects Apple Safari (3.0.3) but due to recent changes in Safari code (vide http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2398 ) it's a lot harder to conduct a successful attack - URL address bat content changes so frequently so the attack is revealed to the user (variants of attack are currently under investigation).
The second one is based on the http URI scheme which allows embedding user/password parameters into it, i.e. http://user:password@domain.com. Such parameters can contain whitespaces, so the attack vector is quite obvious.
http://alt.swiecki.net/konq3.html
Tested with Konqueror 3.5.7 on Linux 2.6
The snapshot from my dekstop: http://alt.swiecki.net/konq3.png
-- Robert Swiecki
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200706-0346",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "safari",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "3.0.1"
},
{
"model": "safari",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "version"
},
{
"model": "safari",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "3.1.1"
},
{
"model": "windows 2003 server",
"scope": "eq",
"trust": 0.6,
"vendor": "microsoft",
"version": "sp2"
},
{
"model": "safari beta for windows",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "3.0.1"
},
{
"model": "safari",
"scope": "eq",
"trust": 0.3,
"vendor": "apple",
"version": "3.1"
},
{
"model": "safari",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "3.1.1"
},
{
"model": "safari beta for windows",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "3.0.2"
},
{
"model": "safari",
"scope": "ne",
"trust": 0.3,
"vendor": "apple",
"version": "2.0.4"
}
],
"sources": [
{
"db": "BID",
"id": "24484"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-001160"
},
{
"db": "NVD",
"id": "CVE-2007-2398"
},
{
"db": "CNNVD",
"id": "CNNVD-200706-350"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:microsoft:windows_2003_server:sp2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": false
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apple:safari:3.0.1:*:windows:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
],
"cpe_match": [],
"operator": "AND"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2007-2398"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Robert Swiecki\u203b robert@swiecki.net",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200706-350"
}
],
"trust": 0.6
},
"cve": "CVE-2007-2398",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 6.9,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:C/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 7.1,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2007-2398",
"impactScore": null,
"integrityImpact": "Complete",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "High",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:C/A:N",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"id": "VHN-25760",
"impactScore": 6.9,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:N/I:C/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2007-2398",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-200706-350",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-25760",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-25760"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-001160"
},
{
"db": "NVD",
"id": "CVE-2007-2398"
},
{
"db": "CNNVD",
"id": "CNNVD-200706-350"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple Safari 3.0.1 beta (522.12.12) on Windows allows remote attackers to modify the window title and address bar while filling the main window with arbitrary content by setting the location bar and using setTimeout() to create an event that modifies the window content, which could facilitate phishing attacks. \nAttackers may exploit this vulnerability via a malicious webpage to spoof the contents and origin of a page that the victim may trust. Attackers may find this issue useful in phishing or other attacks that rely on content spoofing. \nSafari 3.0.1 (522.12.12) on Windows 2003 SE SP2 is reported vulnerable; other versions may also be affected. Apple Apple Safari is a web browser developed by Apple (Apple), and is the default browser included with Mac OS X and iOS operating systems. There is a vulnerability in the implementation of Safari for Windows, and remote attackers may use this vulnerability to perform malicious operations on the user\u0027s machine. If a user is tricked into visiting content on a malicious site, an attacker can forge content on a legitimate site, steal user credentials, or perform other phishing attacks. \nThere are vulnerabilities in Konqueror that allow an attacker to\nspoof the URL adddress bar. \n\nThe first example uses setInterval() call with relatively small interval\nvalue (e.g. 0) to change window.location property. A browser is\nentrapped within the attacking web site while the user thinks that\nbrowser actually left the page. \n\nhttp://alt.swiecki.net/konq2.html\n\nThe very similar problem affects Apple Safari (3.0.3) but due to\nrecent changes in Safari code (vide\nhttp://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2398 ) it\u0027s a lot harder to\nconduct a successful attack - URL address bat content changes so\nfrequently so the attack is revealed to the user (variants of attack are\ncurrently under investigation). \n\nThe second one is based on the http URI scheme which allows embedding\nuser/password parameters into it, i.e. http://user:password@domain.com. \nSuch parameters can contain whitespaces, so the attack vector is quite\nobvious. \n\nhttp://alt.swiecki.net/konq3.html\n\nTested with Konqueror 3.5.7 on Linux 2.6\n\nThe snapshot from my dekstop:\nhttp://alt.swiecki.net/konq3.png\n\n-- \nRobert Swiecki\n\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2007-2398"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-001160"
},
{
"db": "BID",
"id": "24484"
},
{
"db": "VULHUB",
"id": "VHN-25760"
},
{
"db": "PACKETSTORM",
"id": "58353"
}
],
"trust": 2.07
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2007-2398",
"trust": 2.9
},
{
"db": "BID",
"id": "24484",
"trust": 2.8
},
{
"db": "SECTRACK",
"id": "1018282",
"trust": 2.5
},
{
"db": "VUPEN",
"id": "ADV-2007-2316",
"trust": 1.7
},
{
"db": "VUPEN",
"id": "ADV-2008-0979",
"trust": 1.7
},
{
"db": "XF",
"id": "35050",
"trust": 1.4
},
{
"db": "OSVDB",
"id": "38862",
"trust": 1.1
},
{
"db": "JVNDB",
"id": "JVNDB-2007-001160",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200706-350",
"trust": 0.7
},
{
"db": "BUGTRAQ",
"id": "20070614 RE: [FULL-DISCLOSURE] APPLE SAFARI: URLBAR/WINDOW TITLE SPOOFING",
"trust": 0.6
},
{
"db": "BUGTRAQ",
"id": "20070615 RE: [FULL-DISCLOSURE] APPLE SAFARI: URLBAR/WINDOW TITLE SPOOFING",
"trust": 0.6
},
{
"db": "APPLE",
"id": "APPLE-SA-2008-04-16",
"trust": 0.6
},
{
"db": "APPLE",
"id": "APPLE-SA-2007-06-22",
"trust": 0.6
},
{
"db": "FULLDISC",
"id": "20070614 RE: APPLE SAFARI: URLBAR/WINDOW TITLE SPOOFING",
"trust": 0.6
},
{
"db": "VULHUB",
"id": "VHN-25760",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "58353",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-25760"
},
{
"db": "BID",
"id": "24484"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-001160"
},
{
"db": "PACKETSTORM",
"id": "58353"
},
{
"db": "NVD",
"id": "CVE-2007-2398"
},
{
"db": "CNNVD",
"id": "CNNVD-200706-350"
}
]
},
"id": "VAR-200706-0346",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-25760"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T11:31:38.329000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Safari 3.1.1",
"trust": 0.8,
"url": "http://support.apple.com/kb/ht1467"
},
{
"title": "Safari 3.1.1",
"trust": 0.8,
"url": "http://support.apple.com/kb/ht1467?viewlocale=ja_jp"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2007-001160"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2007-2398"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/24484"
},
{
"trust": 2.5,
"url": "http://www.securitytracker.com/id?1018282"
},
{
"trust": 2.0,
"url": "http://support.apple.com/kb/ht1467"
},
{
"trust": 1.7,
"url": "http://lists.apple.com/archives/security-announce/2007/jun/msg00004.html"
},
{
"trust": 1.7,
"url": "http://lists.apple.com/archives/security-announce/2008/apr/msg00001.html"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/archive/1/471454/100/0/threaded"
},
{
"trust": 1.7,
"url": "http://archives.neohapsis.com/archives/fulldisclosure/2007-06/0311.html"
},
{
"trust": 1.7,
"url": "http://www.vupen.com/english/advisories/2008/0979/references"
},
{
"trust": 1.4,
"url": "http://www.frsirt.com/english/advisories/2007/2316"
},
{
"trust": 1.4,
"url": "http://xforce.iss.net/xforce/xfdb/35050"
},
{
"trust": 1.1,
"url": "http://www.securityfocus.com/archive/1/471452/100/0/threaded"
},
{
"trust": 1.1,
"url": "http://osvdb.org/38862"
},
{
"trust": 1.1,
"url": "http://www.vupen.com/english/advisories/2007/2316"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/35050"
},
{
"trust": 0.9,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2007-2398"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-2398"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/archive/1/archive/1/471452/100/0/threaded"
},
{
"trust": 0.3,
"url": "http://www.apple.com/safari/"
},
{
"trust": 0.3,
"url": "/archive/1/471452"
},
{
"trust": 0.3,
"url": "/archive/1/471454"
},
{
"trust": 0.1,
"url": "http://alt.swiecki.net/konq2.html"
},
{
"trust": 0.1,
"url": "http://alt.swiecki.net/konq3.png"
},
{
"trust": 0.1,
"url": "http://user:password@domain.com."
},
{
"trust": 0.1,
"url": "http://alt.swiecki.net/konq3.html"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-25760"
},
{
"db": "BID",
"id": "24484"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-001160"
},
{
"db": "PACKETSTORM",
"id": "58353"
},
{
"db": "NVD",
"id": "CVE-2007-2398"
},
{
"db": "CNNVD",
"id": "CNNVD-200706-350"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-25760"
},
{
"db": "BID",
"id": "24484"
},
{
"db": "JVNDB",
"id": "JVNDB-2007-001160"
},
{
"db": "PACKETSTORM",
"id": "58353"
},
{
"db": "NVD",
"id": "CVE-2007-2398"
},
{
"db": "CNNVD",
"id": "CNNVD-200706-350"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2007-06-21T00:00:00",
"db": "VULHUB",
"id": "VHN-25760"
},
{
"date": "2007-06-14T00:00:00",
"db": "BID",
"id": "24484"
},
{
"date": "2008-05-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2007-001160"
},
{
"date": "2007-08-08T07:37:42",
"db": "PACKETSTORM",
"id": "58353"
},
{
"date": "2007-06-21T10:30:00",
"db": "NVD",
"id": "CVE-2007-2398"
},
{
"date": "2007-06-21T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200706-350"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2018-10-16T00:00:00",
"db": "VULHUB",
"id": "VHN-25760"
},
{
"date": "2008-04-18T00:28:00",
"db": "BID",
"id": "24484"
},
{
"date": "2008-05-13T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2007-001160"
},
{
"date": "2018-10-16T16:43:19.397000",
"db": "NVD",
"id": "CVE-2007-2398"
},
{
"date": "2009-03-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200706-350"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200706-350"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple Safari of Windows Vulnerability that changes the contents of the window title and address bar when used on Windows",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2007-001160"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Design Error",
"sources": [
{
"db": "BID",
"id": "24484"
},
{
"db": "CNNVD",
"id": "CNNVD-200706-350"
}
],
"trust": 0.9
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…