CVE-2009-1699
published 2009-06-10CVE-2009-1699: The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not…
PriorityP262high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
29.10%
97.9th percentile
The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | iphone_os | 1.0.0 – 2.2.1 | — |
| apple | safari | < 4.0 | 4.0 |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect XXE attack via crafted DTD in XSL stylesheets referencing local file:// URIs — look for XML documents with DOCTYPE declarations containing SYSTEM entities pointing to file:// scheme URIs, processed by WebKit's XSL engine. ↗
- →Detect XML responses served with XML MIME type that include an xml-stylesheet processing instruction referencing an external XSL file, combined with a DTD containing external entity declarations (SYSTEM keyword) — this is the two-stage delivery mechanism for the attack. ↗
- →Detect XSL stylesheets containing DOCTYPE declarations with external SYSTEM entity references (e.g., <!ENTITY ent SYSTEM "...">), especially those referencing file:// or other local resource URIs, as these are the payload carrier for the XXE file theft. ↗
- ·The vulnerability is specific to WebKit's XSL stylesheet XML parser in Apple Safari before version 4.0, and iPhone OS 1.0–2.2.1 / iPod touch OS 1.1–2.2.1; patched versions are not affected. ↗
- ·The XXE attack is triggered specifically through the XSL XML parsing path, not general XML parsing — detection rules should target XSL/XSLT documents with DTD external entities, not all XML. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.07.1HIGHAV:N/AC:M/Au:N/C:C/I:N/A:N
vendor_ubuntu9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q425-6m5x-qp5p: The XSL stylesheet implementation in WebKit in Apple Safari before 4
ghsa_unreviewed·2022-05-02
CVE-2009-1699 [HIGH] CWE-200 GHSA-q425-6m5x-qp5p: The XSL stylesheet implementation in WebKit in Apple Safari before 4
The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."
Ubuntu
Qt vulnerabilities
vendor_ubuntu·2009-11-10·CVSS 9.3
CVE-2009-1699 [CRITICAL] Qt vulnerabilities
Title: Qt vulnerabilities
Summary: Qt vulnerabilities
It was discovered that QtWebKit did not properly handle certain SVGPathList
data structures. If a user were tricked into viewing a malicious website,
an attacker could exploit this to execute arbitrary code with the
privileges of the user invoking the program. (CVE-2009-0945)
Several flaws were discovered in the QtWebKit browser and JavaScript
engines. If a user were tricked into viewing a malicious website, a remote
attacker could cause a denial of service or possibly execute arbitrary code
with the privileges of the user invoking the program. (CVE-2009-1687,
CVE-2009-1690, CVE-2009-1698, CVE-2009-1711, CVE-2009-1725)
It was discovered that QtWebKit did not properly handle certain XSL
stylesheets. If a user were tricked into viewin
No detection rules found.
http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.htmlhttp://lists.apple.com/archives/security-announce/2009/jun/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.htmlhttp://osvdb.org/54972http://scary.beasts.org/security/CESA-2009-006.htmlhttp://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-fixes-local-file-theft.htmlhttp://secunia.com/advisories/35379http://secunia.com/advisories/43068http://support.apple.com/kb/HT3613http://support.apple.com/kb/HT3639http://www.securityfocus.com/bid/35260http://www.securityfocus.com/bid/35321http://www.ubuntu.com/usn/USN-857-1http://www.vupen.com/english/advisories/2009/1522http://www.vupen.com/english/advisories/2009/1621http://www.vupen.com/english/advisories/2011/0212https://www.exploit-db.com/exploits/8907http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.htmlhttp://lists.apple.com/archives/security-announce/2009/jun/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.htmlhttp://osvdb.org/54972http://scary.beasts.org/security/CESA-2009-006.htmlhttp://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-fixes-local-file-theft.htmlhttp://secunia.com/advisories/35379http://secunia.com/advisories/43068http://support.apple.com/kb/HT3613http://support.apple.com/kb/HT3639http://www.securityfocus.com/bid/35260http://www.securityfocus.com/bid/35321http://www.ubuntu.com/usn/USN-857-1http://www.vupen.com/english/advisories/2009/1522http://www.vupen.com/english/advisories/2009/1621http://www.vupen.com/english/advisories/2011/0212https://www.exploit-db.com/exploits/8907
2009-06-10
Published