CVE-2015-1126

Apple iOS < 8.3 and Safari < 6.2.5 - Remote Resource Access via FTP URL Userinfo Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-1126. PoCs published by Jouko Pynnonen, joev, including Metasploit module auxiliary/gather/apple_safari_ftp_url_cookie_theft.

AI-analyzed exploit summary This Metasploit module exploits a vulnerability in Safari (CVE-2015-1126) to steal non-HTTPOnly cookies via an FTP URL manipulation technique. It sets up an FTP and HTTP server to serve a malicious payload that exfiltrates cookies from targeted domains.

Description

WebKit, as used in Apple iOS before 8.3 and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, does not properly handle the userinfo field in FTP URLs, which allows remote attackers to trigger incorrect resource access via unspecified vectors.

Exploits (1)

metasploit WORKING POC

by Jouko Pynnonen, joev · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/apple_safari_ftp_url_cookie_theft.rb

View Code ZIP pw:eip

This Metasploit module exploits a vulnerability in Safari (CVE-2015-1126) to steal non-HTTPOnly cookies via an FTP URL manipulation technique. It sets up an FTP and HTTP server to serve a malicious payload that exfiltrates cookies from targeted domains.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Apple Safari (OSX/iOS/Windows versions before April 8, 2015)

No auth needed

Prerequisites: Victim must visit a malicious URL · FTP and HTTP servers must be reachable by the victim

MITRE ATT&CK

T1189 - Drive-by Compromise T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT204658

Vendor Advisory vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2015/Apr/msg00002.html

Vendor Advisory vendor-advisory x_refsource_apple

http://lists.apple.com/archives/security-announce/2015/Apr/msg00000.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1032047

Vendor Advisory x_refsource_confirm

https://support.apple.com/HT204661

Scores

EPSS 0.0996

EPSS Percentile 95.0%

Details

CWE

CWE-20

Status published

Products (19)

apple/iphone_os < 8.2

apple/safari 7.0

apple/safari 7.0.1

apple/safari 7.0.2

apple/safari 7.0.3

apple/safari 7.0.4

apple/safari 7.0.5

apple/safari 7.0.6

apple/safari 7.1.0

apple/safari 7.1.1

... and 9 more

Published Apr 10, 2015

Tracked Since Feb 18, 2026