CVE-2011-3426

Vulnerability

Safari on Apple iOS versions before 5 does not correctly handle the Content-Disposition: attachment HTTP header. When a remote web server sends a file with this header, the browser may still render the content as HTML, leading to a cross-site scripting (XSS) vulnerability. This affects all iOS versions prior to 5, including iPhone 3GS, iPhone 4, iPod touch (3rd generation and later), and iPad [1][4]. Later reports indicate that the issue may have reappeared or not been fully resolved in subsequent iOS versions up to 7.1.2 [3].

Exploitation

An attacker needs to control a web server that can deliver a malicious HTML file with the Content-Disposition: attachment header and a Content-Type such as application/octet-stream. When a user visits the attacker's page or is redirected to the malicious file, Safari on iOS will execute any embedded JavaScript or HTML in the content, despite the attachment directive. No authentication or special network position is required; the attack is initiated by the user clicking a link or being redirected [1][4].

Impact

Successful exploitation allows the attacker to execute arbitrary HTML and JavaScript in the context of the user's Safari session. This can lead to data theft, session hijacking, or other client-side attacks. The CVSS v2 score is 2.6 (Low) [4], but the practical risk depends on the user's actions.

Mitigation

Apple addressed this vulnerability in iOS 5, released on October 12, 2011 [1]. Users should update to iOS 5 or later via iTunes. However, a 2014 security advisory [3] claims that iOS 7.1.2 is still affected, suggesting the fix may not be complete. As of the latest available references, no additional patch has been confirmed for later versions. Administrators should consider using web content filtering or advising users to avoid clicking untrusted links.