CVE-2010-1406 in Safari
Summary
by MITRE
WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, and before 4.1 on Mac OS X 10.4, sends an https URL in the Referer header of an http request in certain circumstances involving https to http redirection, which allows remote HTTP servers to obtain potentially sensitive information via standard HTTP logging, a related issue to CVE-2010-0660.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/13/2025
This vulnerability resides in the WebKit rendering engine used by Apple Safari browsers across multiple operating systems including Mac OS X versions 10.4 through 10.6 and Windows platforms. The flaw manifests when users navigate from secure https connections to insecure http connections through redirection mechanisms, creating a security risk that violates fundamental web security principles. The vulnerability is classified under CWE-200, which deals with information exposure, and represents a specific case of information leakage through improper header handling during protocol transitions. When Safari processes https to http redirection, it inadvertently includes the original https URL in the Referer header of the subsequent http request, creating an information disclosure channel.
The technical mechanism behind this vulnerability involves the browser's handling of HTTP headers during cross-protocol navigation scenarios. During normal operation, when a user clicks on a link from a secure https page to an insecure http page, the browser should strip or sanitize sensitive information from headers that could be transmitted to the non-secure destination. However, Safari's implementation failed to properly sanitize the Referer header, allowing the complete https URL including any query parameters, fragments, or authentication tokens to be transmitted to the http server. This behavior creates a scenario where remote HTTP servers can capture and log these sensitive URLs, potentially exposing session tokens, personal data, or other confidential information that was intended to remain within the secure context.
The operational impact of this vulnerability extends beyond simple information disclosure, as it creates potential attack vectors for malicious actors who control http servers. Attackers can leverage this weakness to gather sensitive user data through standard HTTP server logs, which might contain session identifiers, personal information, or other confidential parameters that were transmitted from secure pages to insecure ones. This vulnerability directly relates to the broader category of cross-site request forgery and session hijacking attacks, as it can expose session tokens or authentication parameters that were meant to be protected within the secure https context. The risk is particularly significant in environments where users navigate between secure banking or corporate sites and insecure public websites, as it could lead to complete session compromise and unauthorized access to sensitive accounts.
Mitigation strategies for this vulnerability require both browser-level fixes and operational security improvements. Apple addressed this issue in Safari 5.0 for Mac OS X 10.5 through 10.6 and Safari 4.1 for Mac OS X 10.4, implementing proper sanitization of the Referer header during protocol transitions. Organizations should ensure all Safari installations are updated to patched versions and consider implementing additional security controls such as strict referer policies, content security policies, and monitoring for suspicious header values in web server logs. The vulnerability demonstrates the importance of proper header sanitization during protocol transitions and aligns with ATT&CK technique T1566, which covers credential harvesting through various attack vectors including information leakage through headers and metadata. Security practitioners should also implement network monitoring to detect unusual Referer header patterns that might indicate exploitation attempts or misconfigurations that could lead to similar information disclosure vulnerabilities.