CVE-2009-3016

Vulnerability

Apple Safari 4.0.3 fails to properly block javascript: and data: URIs when they appear in the Refresh header of an HTTP response. This allows an attacker to inject a Refresh header containing a javascript: URI or a data:text/html URI with embedded JavaScript. The vulnerability affects Safari 4.0.3 and potentially earlier versions, as described in the reference [1].

Exploitation

An attacker can exploit this by crafting an HTTP response that includes a Refresh header with a malicious URI. For example, a redirector script on a website could be tricked into returning a Refresh header pointing to javascript:alert(1) or a data:text/html URI containing JavaScript. When the user's browser processes the response, it executes the JavaScript in the context of the original site's origin. No authentication or user interaction beyond visiting the malicious page is required [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the security context of the vulnerable website. This can lead to theft of cookies, session tokens, or other sensitive data, as well as performing actions on behalf of the user. The attack is a classic cross-site scripting (XSS) scenario, with the attacker gaining the same privileges as the victim user on the target site.

Mitigation

The provided reference does not specify a fixed version. Users should upgrade to a later version of Safari that addresses this issue. As a workaround, users can disable JavaScript or use a different browser until a patch is applied. No official advisory from Apple is included in the available references [1].