• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Safari/WebCore HTTP Content Filtering Bypass Vulnerability

Severity: MODERATE

Description:

Apple Safari is a web browser application available exclusively for the Mac OS X operating system. WebCore is a framework for embedding the KHTML library in applications to provide web services to applications. KHTML is the HTML library developed by the KDE team.

It is reported that Safari and WebCore contain a vulnerability that may allow users to bypass access restrictions or content filters.

Reportedly, when WebCore receives a file with a 'Content-Type' of 'text/plain', it will read the contents of the file to determine if it is actually an HTML file. This is described as content sniffing, and is strongly discouraged as "incorrect and dangerous" by internet RFCs and the W3C.

According to RFC 2616, if a document does not include a 'Content-Type' header, then, and only then, may a browser attempt to guess the content by inspection of the data or filename of the received document.

Reportedly, even if WebCore (and therefor Safari, as it uses WebCore as it's HTML core) receives a document with a 'Content-Type' of 'text/html', it will inspect the contents of the document. If Safari detects a single HTML or JavaScript element, it will then interpret the document as 'text/html'.

Normally 'text/plain' documents are considered harmless, as script code contained in them would not be interpreted by browsers. If policies are in place to allow plain text files, but deny HTML documents, this vulnerability may be exploited to bypass them. Alternatively, inline filters in place that inspect the contents of HTML documents for malicious, or inappropriate content may possibly be bypassed by exploiting this vulnerability. These filters may only inspect documents with the proper 'Content-Type' headers that specify 'text/html' content.

Affected Products:

• Apple Mac OS X 10.2.0
• Apple Mac OS X 10.2.1
• Apple Mac OS X 10.2.2
• Apple Mac OS X 10.2.3
• Apple Mac OS X 10.2.4
• Apple Mac OS X 10.2.5
• Apple Mac OS X 10.2.6
• Apple Mac OS X 10.2.7
• Apple Mac OS X 10.2.8
• Apple Mac OS X Server 10.2.0
• Apple Mac OS X Server 10.2.1
• Apple Mac OS X Server 10.2.2
• Apple Mac OS X Server 10.2.3
• Apple Mac OS X Server 10.2.4
• Apple Mac OS X Server 10.2.5
• Apple Mac OS X Server 10.2.6
• Apple Mac OS X Server 10.2.7
• Apple Mac OS X Server 10.2.8
• Apple Safari 1.0.0
• Apple Safari 1.1.0

References:

• Apple: Safari Homepage
• Apple: WebCore Home Page
• RFC: RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1
• W3C: Consistency of Media Types and Message Contents
• fukami <sec@base-industries.net>: Safari/WebCore Content Sniffing

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.