The XSL stylesheet implementation in WebKit in Apple Safari prior to 4.0, iPhone OS 1.0 up to and including 2.2.1, and iPhone OS for iPod touch 1.1 up to and including 2.2.1 does not properly handle XML external entities, which allows remote malicious users to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apple iphone os |
||
apple safari |
||
canonical ubuntu linux 9.04 |
||
canonical ubuntu linux 8.10 |
||
opensuse opensuse 11.2 |
||
opensuse opensuse 11.3 |