Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-1699

Overview

Vulnerability Score 7.1 7.1
CVE Id CVE-2009-1699
Last Modified 30 Mar 2012 12:00:00
Published 10 Jun 2009 02:00:00
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2009-1699

Summary

The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."

Vulnerable Systems

Operating System

  • Apple Iphone Os 1.0.0

  • Apple Iphone Os 1.0.1

  • Apple Iphone Os 1.0.2

  • Apple Iphone Os 1.1.0

  • Apple Iphone Os 1.1.1

  • Apple Iphone Os 1.1.2

  • Apple Iphone Os 1.1.3

  • Apple Iphone Os 1.1.4

  • Apple Iphone Os 1.1.5

  • Apple Iphone Os 2.0

  • Apple Iphone Os 2.0.0

  • Apple Iphone Os 2.0.1

  • Apple Iphone Os 2.0.2

  • Apple Iphone Os 2.1

  • Apple Iphone Os 2.1.1

  • Apple Iphone Os 2.2

  • Apple Iphone Os 2.2.1

Application

  • Apple Safari 0.8

  • Apple Safari 0.9

  • Apple Safari 1.0

  • Apple Safari 1.0.3

  • Apple Safari 1.1

  • Apple Safari 1.2

  • Apple Safari 1.3

  • Apple Safari 1.3.1

  • Apple Safari 1.3.2

  • Apple Safari 2.0

  • Apple Safari 2.0.0

  • Apple Safari 2.0.1

  • Apple Safari 2.0.2

  • Apple Safari 2.0.3

  • Apple Safari 2.0.4

  • Apple Safari 3.0

  • Apple Safari 3.0.0

  • Apple Safari 3.0.0b

  • Apple Safari 3.0.1

  • Apple Safari 3.0.1b

  • Apple Safari 3.0.2

  • Apple Safari 3.0.2b

  • Apple Safari 3.0.3

  • Apple Safari 3.0.3b

  • Apple Safari 3.0.4

  • Apple Safari 3.0.4b

  • Apple Safari 3.1

  • Apple Safari 3.1.0

  • Apple Safari 3.1.0b

  • Apple Safari 3.1.1

  • Apple Safari 3.1.2

  • Apple Safari 3.2

  • Apple Safari 3.2.0

  • Apple Safari 3.2.1

  • Apple Safari 3.2.2

  • Apple Safari 3.2.3

  • Apple Safari 4.0 Beta


References

VUPEN - ADV-2009-1522

CONFIRM - http://support.apple.com/kb/HT3613

APPLE - APPLE-SA-2009-06-08-1

VUPEN - ADV-2011-0212

VUPEN - ADV-2009-1621

UBUNTU - USN-857-1

BID - 35321

BID - 35260

MILW0RM - 8907

CONFIRM - http://support.apple.com/kb/HT3639

SECUNIA - 43068

SECUNIA - 35379

MISC - http://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-fixes-local-file-theft.html

MISC - http://scary.beasts.org/security/CESA-2009-006.html

OSVDB - 54972

SUSE - SUSE-SR:2011:002

APPLE - APPLE-SA-2009-06-17-1

Related Patches

Apple 2009-06-08 Safari Update 4.0.1 (Leopard)

Apple 2009-06-08 Safari Update 4 (Tiger)


Last Updated: 27 May 2016 10:57:30