Apple Web Server notifications, 2005–2010

This article provides credit to people who have reported potential security issues in Apple's web servers.

Credits

2010-12-07 developer.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Sami Mrabet for reporting this issue.

2010-11-29 buyiphone.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Securitylab.ir and Nikola Milevski for reporting this issue.

2010-10-04 store.apple.com

store.apple.com was updated to address an issue allowing certain web resources to be loaded over HTTP. We would like to acknowledge Elena POINCET of TEHTRI-Security.com for reporting this issue.

2010-10-04 developer.apple.com

An error logging issue was addressed. We would like to acknowledge Laurent Oudot of TEHTRI-Security.com for reporting this issue.

2010-09-29 itunes.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Ivan Sanchez for reporting this issue.

2010-09-24 channelprograms.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Morten Wold of the HackTalk Security Team for reporting this issue.

2010-08-18 education.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Szymon Gruszecki of Cracow University of Technology, Poland for reporting this issue.

2010-07-01 me.com/mail

A cross-site scripting issue was addressed. We would like to acknowledge Jason Hullinger for reporting this issue.

2010-06-17 me.com/mail

A cross-site scripting issue was addressed. We would like to acknowledge Stephane Lunati for reporting this issue.

2010-06-17 me.com/mail

A cross-site scripting issue was addressed. We would like to acknowledge Jason Hullinger for reporting this issue.

2010-05-18 edcommunity.apple.com, latam.apple.com

Two individual cross-site scripting issues were addressed. We would like to acknowledge IFailStuff of EvilZone.org for reporting this issue.

2009-12-31 hk/en/reseller

An SQL injection issue was addressed. We would like to acknowledge Aditya K Sood of SecNiche Security Labs and Rohit Bansal for reporting this issue.

2009-11-05 me.com/mail

The MobileMe Mail application has been updated to address a cross-site scripting issue and an issue allowing spam messages to trigger requests to third-party web servers. We would like to acknowledge Stephane Lunati from TouchMatter.com for reporting the issues.

2009-10-31 edseminars.apple.com

Cross-site scripting issues were addressed. We would like to acknowledge Damien Couturier for reporting these issues.

2009-10-09 me.com/mail

The MobileMe site has corrected several cross-site scripting issues that could be triggered after an attacker has compromised an account. We would like to acknowledge Haroon Meer of SensePost for reporting this issues.

2009-07-01 idisk.me.com

A directory traversal issue was addressed. We would like to acknowledge Jeremy Richards for reporting this issue.

2009-05-26 alacservice.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Mystick for reporting this issue.

2009-04-16 iTunes Store

An HTTP response header splitting issue in the iTunes Store was addressed. We would like to acknowledge Will Drewry for reporting this issue.

2009-01-10 store.apple.com

Two cross-site scripting issues were addressed. We would like to acknowledge Christian Matthies for reporting this issue.

2008-12-11 apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Jason Hullinger of MySpace Security Team for reporting this issue.

2008-12-04 developer.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Jason Hullinger of MySpace Security Team for reporting this issue.

2008-12-04 searchcgi.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Jason Hullinger of MySpace Security Team for reporting this issue.

2008-11-06 me.com

Multiple cross-site request forgery and cross-site scripting issues in MobileMe web applications were fixed. We would like to acknowledge Richard Vaneeden, Sr. Security Consultant at IOActive, Inc. and Ilja Van Sprundel, Principal Security Consultant at IOActive, Inc. for reporting the issues.

2008-11-06 discussions.apple.com

A cross-site scripting issue in the Apple Discussions page was fixed. We would like to acknowledge Richard Vaneeden, Sr. Security Consultant at IOActive, Inc. and Ilja Van Sprundel, Principal Security Consultant at IOActive, Inc. for reporting this issue.

2008-10-17 homepage.mac.com

A cross-site scripting issue was addressed. We would like to acknowledge Yoshinori Ohta of Business Architects Inc. for reporting this issue.

2008-07-30 auth.apple.com

An authentication bypass issue in the MobileMe account information page was addressed. Credit to Thomas Pedley of ShALLaX for reporting this issue.

2008-07-11 edcommunity.apple.com

An SQL injection issue was addressed. We would like to acknowledge Nenad Stojanovski and Travis Schack for reporting this issue.

2008-06-09 iTunes Store

An open redirector in the iTunes Store was addressed. We would like to acknowledge Nenad Stojanovski for reporting this issue.

2008-05-16 developer.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Mike Zusman of Intrepidus Group for reporting this issue.

2008-04-28 searchcgi.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge David Bloom for reporting this issue.

2008-03-31 apple.com

A cross-site scripting issue was addressed. We would like to acknowledge David Bloom for reporting this issue.

2007-10-26 iforgot.apple.com/

A cross-site scripting issue was addressed. We would like to acknowledge Waqas Nazir of DigitSEC for reporting the issue.

2007-10-05 support.apple.com/techtooldeluxe/

A cross-site scripting issue was addressed. We would like to acknowledge Kenichi Maehashi of Hosei University for reporting the issue.

2007-09-26 education.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Johannes Fahrenkrug of Springenwerk Consulting for reporting the issue.

2007-09-26 edcommunity.apple.com

Two individual cross-site scripting issues were addressed. We would like to acknowledge Johannes Fahrenkrug of Springenwerk Consulting for reporting these issues.

2007-07-16 Apple Store Locator

An SQL injection issue was corrected in the Apple Store Locator. No customer data is stored on or is handled by the affected database. We would like to acknowledge Johannes Fahrenkrug of Springenwerk Consulting for reporting these issues.

2007-05-17 jobs.apple.com

A cross-site scripting issue was corrected on jobs.apple.com. We would like to acknowledge Dinis Cruz of Ounce Labs for reporting this issue.

2007-04-30 Apple website

Apple corrected a cross-site scripting issue on searchcgi.apple.com. We would like to acknowledge Nitesh Dhanjani for reporting this issue.

2005-12-14 Developer Connection Website

Apple corrected an issue on the connect.apple.com website that could have caused an email address to be disclosed. We would like to acknowledge Hernan Ochoa for reporting this issue.

2005-10-11 Apple Websites

Apple has corrected two issues related to PHP on the ali.apple.com and education.apple.com websites. No customer data is stored on or is handled by either of these systems. We would like to acknowledge Johannes Fahrenkrug for reporting these issues.

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Published Date: