CVE-2012-0647 in Safari
Summary
by MITRE
WebKit in Apple Safari before 5.1.4 does not properly handle redirects in conjunction with HTTP authentication, which might allow remote web servers to capture credentials by logging the Authorization HTTP header.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/23/2017
The vulnerability identified as CVE-2012-0647 resides within Apple Safari's WebKit rendering engine and affects versions prior to 5.1.4. This flaw represents a critical security issue that exploits the improper handling of HTTP redirects in combination with authentication mechanisms. The vulnerability stems from how Safari processes web requests when authentication is required and redirects are involved, creating a scenario where malicious servers can potentially intercept user credentials during the authentication process.
The technical implementation of this vulnerability involves WebKit's inadequate management of HTTP redirect sequences that include authentication challenges. When a user attempts to access a resource that requires authentication, the server typically responds with a 401 Unauthorized status code and includes an Authorization header in the response. In affected Safari versions, the browser fails to properly sanitize or handle these redirect sequences, allowing an attacker to craft malicious redirects that capture the Authorization header from the authentication response. This occurs because the browser does not properly validate or clear authentication state during redirect operations, creating a window where credential information can be logged or transmitted to unintended parties.
The operational impact of this vulnerability extends beyond simple credential theft, as it enables sophisticated man-in-the-middle attacks and credential harvesting operations. An attacker can construct a malicious web page that redirects users through multiple servers while maintaining the authentication headers in the redirect chain, effectively capturing the user's credentials without requiring any additional user interaction. This vulnerability directly relates to CWE-200, which describes improper handling of sensitive information, and can be mapped to ATT&CK technique T1566 for credential harvesting through social engineering and T1071 for application layer protocol usage. The attack vector typically involves phishing campaigns or compromised websites that redirect users to malicious endpoints designed to capture authentication information.
Mitigation strategies for CVE-2012-0647 require immediate patching of Safari to version 5.1.4 or later, where Apple implemented proper handling of authentication redirects and improved validation of redirect sequences. Users should also employ additional security measures such as enabling secure browsing protocols, using two-factor authentication where available, and avoiding access to sensitive resources from untrusted networks. Network administrators should implement monitoring for suspicious redirect patterns and consider deploying web application firewalls that can detect and block malicious redirect sequences. The vulnerability demonstrates the importance of proper state management in web browsers and highlights how seemingly minor implementation flaws in HTTP handling can result in significant security breaches. Organizations should also conduct regular security assessments of their browser configurations and ensure that all systems are running patched versions of web browsers to prevent exploitation of similar vulnerabilities in the future.