Vulnerabilities > CVE-2009-2842 - Information Disclosure vulnerability in Apple Safari Shortcut Menu Options

047910
CVSS 4.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
apple
nessus

Summary

Apple Safari before 4.0.4 does not properly implement certain (1) Open Image and (2) Open Link menu options, which allows remote attackers to read local HTML files via a crafted web site.

Nessus

  • NASL familyWindows
    NASL idSAFARI_4_0_4.NASL
    descriptionThe version of Safari installed on the remote Windows host is earlier than 4.0.4. Such versions are potentially affected by several issues : - An integer overflow in the handling of images with an embedded color profile could lead to a crash or arbitrary code execution. (CVE-2009-2804) - Multiple use-after-free issues exist in libxml2, the most serious of which could lead to a program crash. (CVE-2009-2414, CVE-2009-2416) - An issue in the handling of navigations initiated via the
    last seen2020-06-01
    modified2020-06-02
    plugin id42478
    published2009-11-12
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42478
    titleSafari < 4.0.4 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(42478);
      script_version("1.16");
    
      script_cve_id(
        "CVE-2009-2804",
        "CVE-2009-2414",
        "CVE-2009-2416",
        "CVE-2009-2816",
        "CVE-2009-2842",
        "CVE-2009-3384"
      );
      script_bugtraq_id(36357, 36994, 36995, 36997);
    
      script_name(english:"Safari < 4.0.4 Multiple Vulnerabilities");
      script_summary(english:"Checks Safari's version number");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote host contains a web browser that is affected by several
    vulnerabilities."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The version of Safari installed on the remote Windows host is earlier
    than 4.0.4.  Such versions are potentially affected by several 
    issues :
    
      - An integer overflow in the handling of images with an
        embedded color profile could lead to a crash or 
        arbitrary code execution. (CVE-2009-2804)
    
      - Multiple use-after-free issues exist in libxml2, the
        most serious of which could lead to a program crash.
        (CVE-2009-2414, CVE-2009-2416)
    
      - An issue in the handling of navigations initiated via 
        the 'Open Image in New Tab', 'Open Image in New Window'
        or 'Open Link in New Tab' shortcut menu options could
        be exploited to load a local HTML file, leading to
        disclosure of sensitive information. (CVE-2009-2842)
    
      - An issue involving WebKit's inclusion of custom HTTP
        headers specified by a requesting page in preflight
        requests in support of Cross-Origin Resource Sharing
        can facilitate cross-site request forgery attacks. 
        (CVE-2009-2816)
    
      - Multiple issues in WebKit's handling of FTP directory 
        listings may lead to information disclosure, unexpected
        application termination, or execution of arbitrary 
        code. (CVE-2009-3384)"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://support.apple.com/kb/HT3949"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://lists.apple.com/archives/security-announce/2009/Nov/msg00001.html"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://www.securityfocus.com/advisories/18277"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade to Safari 4.0.4 or later."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(119, 189, 352, 399);
      script_set_attribute(
        attribute:"vuln_publication_date", 
        value:"2009/11/11"
      );
      script_set_attribute(
        attribute:"patch_publication_date", 
        value:"2009/11/11"
      );
      script_set_attribute(
        attribute:"plugin_publication_date", 
        value:"2009/11/12"
      );
     script_cvs_date("Date: 2018/07/27 18:38:15");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:safari");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("safari_installed.nasl");
      script_require_keys("SMB/Safari/FileVersion");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    
    
    path = get_kb_item("SMB/Safari/Path");
    version = get_kb_item("SMB/Safari/FileVersion");
    if (isnull(version)) exit(0);
    
    ver = split(version, sep:'.', keep:FALSE);
    for (i=0; i<max_index(ver); i++)
      ver[i] = int(ver[i]);
    
    if (
      ver[0] < 5 ||
      (
        ver[0] == 5 &&
        (
          ver[1] < 31 ||
          (
            ver[1] == 31 && 
            (
              ver[2] < 21 ||
              (ver[2] == 21 && ver[3] < 10)
            )
          )
        )
      )
    )
    {
      if (report_verbosity > 0)
      {
        if (isnull(path)) path = "n/a";
    
        prod_version = get_kb_item("SMB/Safari/ProductVersion");
        if (!isnull(prod_version)) version = prod_version;
    
        report = string(
          "\n",
          "Nessus collected the following information about the current install\n",
          "of Safari on the remote host :\n",
          "\n",
          "  Version : ", version, "\n",
          "  Path    : ", path, "\n"
        );
        security_hole(port:get_kb_item("SMB/transport"), extra:report);
      }
      else security_hole(get_kb_item("SMB/transport"));
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SAFARI4_0_4.NASL
    descriptionThe version of Apple Safari installed on the remote Mac OS X host is earlier than 4.0.4. As such, it is potentially affected by several issues : - Multiple use-after-free issues exist in libxml2, the most serious of which could lead to a program crash. (CVE-2009-2414, CVE-2009-2416) - An issue in the handling of navigations initiated via the
    last seen2020-06-01
    modified2020-06-02
    plugin id42477
    published2009-11-12
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42477
    titleMac OS X : Apple Safari < 4.0.4
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(42477);
      script_version("1.21");
      script_cvs_date("Date: 2018/07/14  1:59:35");
    
      script_cve_id(
        "CVE-2009-2414",
        "CVE-2009-2416",
        "CVE-2009-2816",
        "CVE-2009-2841",
        "CVE-2009-2842"
      );
      script_bugtraq_id(36994, 36996, 36997);
    
      script_name(english:"Mac OS X : Apple Safari < 4.0.4");
      script_summary(english:"Check the Safari SourceVersion");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote host contains a web browser that is affected by several
    vulnerabilities."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The version of Apple Safari installed on the remote Mac OS X host is
    earlier than 4.0.4.  As such, it is potentially affected by several
    issues :
    
      - Multiple use-after-free issues exist in libxml2, the
        most serious of which could lead to a program crash.
        (CVE-2009-2414, CVE-2009-2416)
    
      - An issue in the handling of navigations initiated via 
        the 'Open Image in New Tab', 'Open Image in New Window'
        or 'Open Link in New Tab' shortcut menu options could
        be exploited to load a local HTML file, leading to
        disclosure of sensitive information. (CVE-2009-2842)
    
      - An issue involving WebKit's inclusion of custom HTTP
        headers specified by a requesting page in preflight
        requests in support of Cross-Origin Resource Sharing
        can facilitate cross-site request forgery attacks. 
        (CVE-2009-2816)
    
      - WebKit fails to issue a resource load callback to 
        determine if a resource should be loaded when it
        encounters an HTML 5 Media Element pointing to an 
        external resource, which could lead to undesired
        requests to remote servers. (CVE-2009-2841)"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://support.apple.com/kb/HT3949"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://lists.apple.com/archives/security-announce/2009/Nov/msg00001.html"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://www.securityfocus.com/advisories/18277"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade to Apple Safari 4.0.4 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(119, 352, 399);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/11");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/11/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/11/12");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:safari");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
     
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
     
      script_dependencies("macosx_Safari31.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/uname", "Host/MacOSX/Version", "MacOSX/Safari/Installed");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    os = get_kb_item("Host/MacOSX/Version");
    if (!os) audit(AUDIT_OS_NOT, "Mac OS X");
    
    uname = get_kb_item_or_exit("Host/uname");
    if (!egrep(pattern:"Darwin.* (8\.|9\.[0-8]\.|10\.)", string:uname)) audit(AUDIT_OS_NOT, "Mac OS X 10.4 / 10.5 / 10.6");
    
    
    get_kb_item_or_exit("MacOSX/Safari/Installed");
    path = get_kb_item_or_exit("MacOSX/Safari/Path", exit_code:1);
    version = get_kb_item_or_exit("MacOSX/Safari/Version", exit_code:1);
    
    fixed_version = "4.0.4";
    
    if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)
    {
      set_kb_item(name:'www/0/XSRF', value:TRUE);
    
      if (report_verbosity > 0)
      {
        report = 
          '\n  Installed version : ' + version + 
          '\n  Fixed version     : ' + fixed_version + '\n';
        security_hole(port:0, extra:report);
      }
      else security_hole(0);
    }
    else audit(AUDIT_INST_VER_NOT_VULN, "Safari", version);
    

Oval

accepted2013-11-11T04:02:06.175-05:00
classvulnerability
contributors
  • nameSharath S
    organizationSecPod Technologies
  • nameShane Shaffer
    organizationG2, Inc.
  • nameMaria Kedovskaya
    organizationALTX-SOFT
definition_extensions
commentApple Safari is installed
ovaloval:org.mitre.oval:def:6325
descriptionApple Safari before 4.0.4 does not properly implement certain (1) Open Image and (2) Open Link menu options, which allows remote attackers to read local HTML files via a crafted web site.
familywindows
idoval:org.mitre.oval:def:5915
statusaccepted
submitted2009-11-17T18:28:46
titleApple Safari Local HTML Files Information Disclosure Vulnerability.
version8

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 36357,36010,36994,36995,36997,36996 CVE ID: CVE-2009-2804,CVE-2009-2414,CVE-2009-2416,CVE-2009-2842,CVE-2009-2816,CVE-2009-3384,CVE-2009-2841 Safari是苹果家族机器操作系统中默认捆绑的WEB浏览器。 远程攻击者可以利用Safari浏览器中的多个错误导致拒绝服务、读取敏感信息或执行任意代码。 CVE-2009-2804 处理包含有嵌入式颜色配置文件的图形时存在可导致堆溢出的整数溢出,用户受骗打开恶意图形就可能导致浏览器崩溃或执行任意代码。 CVE-2009-2414,CVE-2009-2416 libxml2库中的多个释放后使用漏洞可能导致浏览器意外终止。 CVE-2009-2842 Safari处理通过“在新标签页中打开图形”、“在新窗口中打开图形”或“在新标签页中打开链接”快捷菜单选项所初始化的导航时存在漏洞,对恶意网站使用这些选项可能加载本地HTM文件,导致泄漏敏感信息。 CVE-2009-2816 WebKit实现跨源资源共享的方式存在漏洞。在允许一个源的页面访问另一个源中资源之前,WebKit向后者服务器发送了preflight请求。由于WebKit包含有preflight所请求页面指定的自定义HTTP头,这有利于跨站请求伪造攻击。 CVE-2009-3384 WebKit处理FTP列出目录方式存在多个漏洞,访问恶意的FTP服务器可能导致信息泄露、浏览器意外终止或执行任意代码。 CVE-2009-2841 WebKit遇到指向外部资源的HTML 5媒体元素时没有发布资源加载回调来判断是否应加装资源,这可能导致对远程服务器的非预期请求。例如,HTML格式邮件的发件人可以判断消息是否已读。 Apple Safari 4.x 厂商补丁: Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.apple.com/safari/download/
idSSV:12627
last seen2017-11-19
modified2009-11-13
published2009-11-13
reporterRoot
titleSafari 4.0.4版本修复多个安全漏洞