CVE-2009-1699

HIGH

Apple Safari < 4.0 - XML External Entity Injection via XSL Stylesheet

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-1699. PoCs published by Chris Evans.

AI-analyzed exploit summary This exploit demonstrates an XXE (XML External Entity) attack in Safari prior to version 4, allowing a malicious webpage to steal local files by embedding a crafted XSL stylesheet with a DTD that references a local file (e.g., /etc/passwd). The attack leverages the browser's XML parsing and XSL transformation to exfiltrate file contents.

Description

The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."

Exploits (2)

exploitdb WORKING POC VERIFIED

by Chris Evans · textremotemultiple

https://www.exploit-db.com/exploits/8907

View Code ZIP pw:eip

This exploit demonstrates an XXE (XML External Entity) attack in Safari prior to version 4, allowing a malicious webpage to steal local files by embedding a crafted XSL stylesheet with a DTD that references a local file (e.g., /etc/passwd). The attack leverages the browser's XML parsing and XSL transformation to exfiltrate file contents.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Safari < 4

No auth needed

Prerequisites: Victim must visit a malicious webpage · Safari browser version < 4

MITRE ATT&CK

T1211 - Exploitation for Defense Evasion T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 18, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Chris Evans · textremotelinux

https://www.exploit-db.com/exploits/33034

View Code ZIP pw:eip

This exploit demonstrates an XXE (XML External Entity) attack against WebKit in Safari prior to version 4, allowing an attacker to steal local files by crafting a malicious XSL stylesheet and XML file. The PoC includes a sample XSL file that attempts to read /etc/passwd and display its contents via JavaScript.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Safari prior to version 4 (WebKit)

No auth needed

Prerequisites: Victim must visit a malicious webpage served by the attacker · Safari version prior to 4

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1082 - System Information Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (17)

Core 17

Core References

Vendor Advisory x_refsource_confirm

http://support.apple.com/kb/HT3639

Broken Link third-party-advisory x_refsource_secunia

http://secunia.com/advisories/43068

Broken Link vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/1621

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/8907

Broken Link vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2011/0212

Exploit x_refsource_misc

http://scary.beasts.org/security/CESA-2009-006.html

Broken Link, Mailing List, Patch, Vendor Advisory vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html

Broken Link vdb-entry x_refsource_osvdb

http://osvdb.org/54972

Broken Link, Exploit, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/35260

Broken Link, Patch, Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/1522

Mailing List vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.html

Broken Link, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/35379

Third Party Advisory vendor-advisory x_refsource_ubuntu

http://www.ubuntu.com/usn/USN-857-1

Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/35321

Exploit x_refsource_misc

http://scarybeastsecurity.blogspot.com/2009/06/apples-safari-4-fixes-local-file-theft.html

Patch, Vendor Advisory x_refsource_confirm

http://support.apple.com/kb/HT3613

Scores

CVSS v3 7.5

EPSS 0.2910

EPSS Percentile 97.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-611

Status published

Products (6)

apple/iphone_os 1.0.0 - 2.2.1

apple/safari < 4.0

canonical/ubuntu_linux 8.10

canonical/ubuntu_linux 9.04

opensuse/opensuse 11.2

opensuse/opensuse 11.3

Published Jun 10, 2009

Tracked Since Feb 18, 2026