Cross-Origin Resource Sharing Vulnerability in WebKit Affecting Apple Safari and Google Chrome
CVE-2009-2816

Currently unrated

Key Information:

Vendor: Apple
Status: iPhone OS; Safari; Chrome
Vendor: CVE Published:; 13 November 2009

Summary

The vulnerability in the implementation of Cross-Origin Resource Sharing (CORS) within WebKit used by Apple Safari and Google Chrome allows remote attackers to perform cross-site request forgery (CSRF) attacks. This occurs due to improper handling of custom HTTP headers included in the OPTIONS request during preflight cross-origin operations. Attackers can exploit this vulnerability through crafted web pages that trigger unauthorized actions on behalf of users.

References

http://secunia.com/advisories/43068

third-party-advisoryx_refsource_SECUNIA

http://www.vupen.com/english/advisories/2009/3233

vdb-entryx_refsource_VUPEN

http://lists.apple.com/archives/security-announce/2009/No...

vendor-advisoryx_refsource_APPLE

Timeline

Vulnerability published
Nov 13, 2009
Vulnerability Reserved
Aug 17, 2009