On Mar 11, 2011, at 1:10 PM, Ben Staveley-Taylor wrote:
> Thanks for the quick confirmation. It looks like Safari 5.0.4 was only released a couple of days ago and I guess my software update had not picked it up. I've run a manual update and the new WebKit does indeed fix my problem. That's fortunate timing.
>
> Our support guys have asked me if this affects all previous version of Safari, or if the bug was only introduced in a recent version. I don't suppose you know how far back that bug goes do you?
Unfortunately, I don’t have this information.
>
> Thanks again,
>
> -- Ben.
>
>
> On 11 Mar 2011, at 19:00, Dan Bernstein wrote:
>
>>
>> On Mar 11, 2011, at 9:05 AM, Ben Staveley-Taylor wrote:
>>
>>> I've encountered a problem which I am starting to suspect may be a security bug in WebKit. I wonder if any experts in HTTP authentication and redirecting might have an opinion?
>>>
>>> I think that WebKit is incorrectly including the Basic Authentication HTTP header for one server with a redirected request that goes to a different server. This means that the user's name and password are potentially being disclosed to a third party and I'm a bit alarmed, naturally.
>>>
>>> I have two servers, A (http://myserver.zone1.mycompany.com) and B (http://otherserver.zone2.mycompany.com). Server A uses Basic authentication, but server B is not authenticated.
>>>
>>> -- I use a WebView and load a URL pointing to server A.
>>> -- I get back an HTTP 401 response, meaning authentication is required.
>>> -- I type my name and password into the dialog box and then resubmit the request, which works.
>>> -- At some point later I do something which causes server A to send a redirection response (HTTP 303, "See Other") and the WebView requests a resource on server B.
>>>
>>> Bug: This redirected request sent to server B pre-emptively includes the HTTP Authentication header ("Authorization: Basic ********") for server A even though server B does not require authentication and has not challenged for it. Surely it should not do that? The name and password entered were specifically for server A. Server B is a different host, so server B now has access to my credentials for server A. (Both servers are in the same "mycompany.com" domain).
>>>
>>> In fact this behaviour causes the request to server B to fail -- although it does not require authentication, because incorrect credentials are pre-emptively sent anyway it tries to authenticate and fails. So I've got a functional bug, not just a potential security hole.
>>>
>>> Versions: Mac OS 10.6.6; Safari 5.0.3 (6533.19.4)
>>>
>>> Questions:
>>>
>>> -- Is this behaviour correct?
>>> -- What can I do in the WebView to stop this happening, i.e to ensure no "Authorization:" header is sent to server B unless the user has logged in to that server before?
>>>
>>> Thanks.
>>>
>>> Ben
>>
>> I believe that what you are describing is an issue that was fixed in the version of WebKit that is included in Safari 5.0.4. See the reference to CVE-2011-0160 in <http://support.apple.com/kb/HT4566>.
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webkitsdk-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
