Apple Xcode WebObjects 'WOHyperlink' Information Disclosure Vulnerability

Bugtraq ID:	30191
Class:	Design Error
CVE:	CVE-2008-2318
Remote:	Yes
Local:	No
Published:	Jul 12 2008 12:00AM
Updated:	Jul 12 2008 05:39AM
Credit:	The vendor disclosed this issue.
Vulnerable:	Apple Xcode 2.4.1 Apple Xcode 3.0 Apple Xcode 2.3 Apple Xcode 2.2 Apple Xcode 2.1 Apple Xcode 2.0 Apple WebObjects 5.3.3 + Apple Xcode 2.4.1 Apple WebObjects 5.3.2 + Apple Xcode 2.4.1 Apple WebObjects 5.3.1 + Apple Xcode 2.2 Apple WebObjects 5.2.4 Apple WebObjects 5.2.3 Apple WebObjects 5.2.2 Apple WebObjects 5.2.1 Apple WebObjects 5.1.4 Apple WebObjects 5.1.3 Apple WebObjects 5.1.2 Apple WebObjects 5.4 Apple WebObjects 5.3 + Apple Xcode 2.1 Apple WebObjects 5.2 Apple WebObjects 5.1 Apple WebObjects 5.0
Not Vulnerable:	Apple Xcode 3.1

Apple Xcode WebObjects 'WOHyperlink' Information Disclosure Vulnerability

Apple WebObjects is prone to an information-disclosure vulnerability when generating URIs for HTML documents.

To exploit this issue an affected application would have to contain a URI to an arbitrary website that an attacker has control of or on which the attacker can view activity logs. Harvested session ID data can aid in attacks.

Versions of WebObjects that are affected are currently unspecified, however those included in Xcode versions prior to 3.1 are affected.

Apple Xcode WebObjects 'WOHyperlink' Information Disclosure Vulnerability

To exploit this issue an affected application would have to contain a URI to an arbitrary website that an attacker has control of or on which the attacker can view activity logs.

Apple Xcode WebObjects 'WOHyperlink' Information Disclosure Vulnerability

Solution:
Apple released Xcode 3.1 to address this issue. Please see the references for further information.

Apple Xcode WebObjects 'WOHyperlink' Information Disclosure Vulnerability

References:

• WebObjects Homepage (Apple)
  
• About the security content of Xcode tools 3.1 (Apple)