Apple Web Server notifications, 2014

This article provides credit to people who have reported potential security issues in Apple's web servers.

Credits

2014-12-22 ecommerce.apple.com

A server configuration issue was addressed. We would like to acknowledge Joshua Coleman(facebook.com/josh.coleman.50) for reporting this issue.

2014-12-22 itunespulse.com

A cross-site scripting issue was addressed. We would like to acknowledge Rodolfo Godalle, Jr. (facebook.com/junior.ns1de), Daksh Patel(@dakshxss), and Ch. Muhammad Osama (@ChMuhammadOsama) for reporting this issue.

2014-12-22 unionbaynetworks.com

A directory-indexing issue was addressed. We would like to acknowledge Koutrouss Naddara (facebook.com/profile.php?id=100008222891851) for reporting this issue.

2014-12-22 mynews.apple.com

A clickjacking issue was addressed. We would like to acknowledge Murugesh for reporting this issue.

2014-12-22 itunespulse.com

A cross site scripting was addressed. We would like acknowledge Rodolfo Godalle, Jr.(facebook.com/junior.ns1de) for reporting this issue.

2014-12-22 icloud.com

A cross-site scripting issue was addressed. We would like to acknowledge Prashanth Varma of prashanthvarma.in for reporting this issue. 

2014-12-18 volume.itunes.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Derek Ruffner of ruffner.io for reporting this issue.

2014-12-17 itunesu.itunes.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Daniel Cohen of Speed-Net.com for reporting this issue. 

2014-12-15 controls.skyrocketapp.com

A clickjacking issue was addressed. We would like to acknowledge Koutrouss Naddara (facebook.com/profile.php?id=100008222891851) for reporting this issue.

2014-12-10 marketresearch.apple.com

A server configuration issue was addressed. We would like to acknowledge an anonymous researcher for reporting this issue.

2014-11-21 evaluatemacs.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Dhruva Sharma (facebook.com/adminhacked) for reporting this issue.

2014-11-19 evaluatemacs.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Dhruva Sharma (facebook.com/adminhacked) for reporting this issue.

2014-11-10 deploy.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Behrouz Sadeghipour (@NahamSec) for reporting this issue.

2014-10-13 pro.topsy.com

A clickjacking issue was addressed. We would like to acknowledge Aniket Pratap Singh for reporting this issue.

2014-10-07 radarsubmissions.apple.com

A certificate issue was addressed. We would like to acknowledge an anonymous researcher for reporting this issue.

2014-10-07 consultants-locator.apple.com

A clickjacking issue was addressed. We would like to acknowledge Sachin Thakuri (@sachinnthakuri), Urja Singh Thapa, and Hari Krishnan (facebook.com/c.hari1997) for reporting this issue.

2014-09-30 pro.topsy.com

An SSL configuration issue was addressed. We would like to acknowledge Ayoub Nait Lamine for reporting this issue.

2014-09-30 vpp.itunes.apple.com

A clickjacking issue was addressed. We would like to acknowledge Chandroliya Ravi Ghanashyam bhai (@ChandroliyaRavi) for reporting this issue.

2014-09-18 itunesu.itunes.apple.com

A clickjacking issue was addressed. We would like to acknowledge S.Venkatesh (@PranavVenkatS) and Osman Erçeli̇k of Akanzii LLC for reporting this issue.

2014-09-16 hopstop.com

A cross-site scripting issue was addressed. We would like to acknowledge Memon Faisal (facebook.com/faiz.memon143) of SCET for reporting this issue.

2014-09-08 edeuroweb.apple.com

A clickjacking issue was addressed. We would like to acknowledge Osama Ansari (facebook.com/ansariosama) for reporting this issue.

2014-09-05 appleid.apple.com

An insufficient validation issue was addressed.  We would like to acknowledge Cameron Banga of 9magnets, LLC for reporting this issue.

2014-09-05 topsy.com

A cross-site scripting issue was addressed. We would like to acknowledge Mohamed Abdelbaset Elnoby of W3Pwn Security Consultation for reporting this issue.

2014-09-02 hopstop.com

A cross-site scripting issue was addressed. We would like to acknowledge Memon Faisal (facebook.com/faiz.memon143) of SCET for reporting this issue.

2014-08-20 burstly.com

An out-of-date software issue was addressed. We would like to acknowledge Koutrouss Naddara (facebook.com/profile.php?id=100008222891851) for reporting this issue.

2014-08-19 hrweb.apple.com

An SSL configuration issue was addressed. We would like to acknowledge Satheesh Raj (@rsatheesh523) for reporting this issue.

2014-08-19 support.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Frans Rosén of Detectify for reporting this issue.

2014-08-18 mynews.apple.com

A caching issue was addressed.  We would like to acknowledge Bill Cave for reporting this issue.

2014-08-18 beatsbydre.com

A cross-site scripting issue was addressed. We would like to acknowledge Muhammad Abdullah (facebook.com/root.abdullah) for reporting this issue.

2014-08-13 ara.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Drew Callahan (linkedin.com/pub/drew-callahan/67/62/783) for reporting this issue.

2014-08-07 edeuroweb.apple.com

A certificate issue was addressed. We would like to acknowledge Ch. Muhammad Osama (@ChMuhammadOsama) of Chmosama.com (chmosama.com) and Hardik Tailor (@iamhardiktailor) for reporting this issue.

2014-08-06 jobs.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Scott Glossop of randomstorm.com for reporting this issue.

2014-08-04 icloud.com/mail

A cross-site scripting issue was addressed. We would like to acknowledge an anonymous researcher for reporting this issue.

2014-07-30 hopstop.com

An out-of-date software issue was addressed. We would like to acknowledge Sangeetha Rajesh S for reporting this issue.

2014-07-15 images.apple.com

An open redirect issue was addressed. We would like to acknowledge Sabari Selvan (@EHackerNews) of Cyber Security & Privacy Foundation, Max Prietzel and an anonymous researcher for reporting this issue.

2014-07-09 hopstop.com

A cross-site scripting issue was addressed. We would like to acknowledge Jitendra Jaiswal (@jeetjaiswal22) from S.S Jain Subodh P.G College Jaipur India for reporting this issue.

2014-07-03 myaccess.apple.com

A server configuration issue was addressed. We would like to acknowledge Ryan Manly of Glenbrook High School District 225 for reporting this issue.

2014-07-02 acn-members.apple.com

A server configuration issue was addressed. We would like to acknowledge Kamil Sevi (@kamilsevi) for reporting this issue.

2014-07-01 appleseed3.apple.com

A clickjacking issue was addressed. We would like to acknowledge S.Venkatesh (@PranavVenkatS) for reporting this issue.

2014-06-20 extensions.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Brij Kishore Mishra (@__bkm_) for reporting this issue.

2014-06-19 store.apple.com

An information disclosure issue was addressed. We would like to acknowledge Kenney Lu (@eolwral) of Yahoo! for reporting this issue.

2014-06-16 privftp.apple.com

An exposed credential issue was addressed. We would like to acknowledge Guilherme Rambo for reporting this issue.

2014-06-13 developer.apple.com

A mixed-content issue was addressed. We would like to acknowledge Russell Sullivan for reporting this issue.

2014-06-11 myaccess.apple.com

An SSL configuration issue was addressed. We would like to acknowledge Russell Jancewicz of University of Connecticut for reporting this issue.

2014-05-05 consultants.apple.com

An Apache configuration issue was addressed. We would like to acknowledge Tariq Ziyad Al-Diab (facebook.com/TariqZiyad97) and Simone Memoli of Liceo Scientifico Valdemaro Vecchior for reporting this issue.

2014-04-28 bugreport.apple.com

An information disclosure issue was addressed. We would like to acknowledge Jesse Mikael Järvi for reporting this issue.

2014-04-23 searchcgi.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Artur Czyz (ArturCzyz.pl) for reporting this issue.

2014-04-17 store.apple.com

A server configuration issue was addressed. We would like to acknowledge Nakul Mohan of @Anonymous_India for reporting this issue.

2014-04-08 sift.apple.com

An SSL configuration issue was addressed. We would like to acknowledge Simone Memoli of Liceo Scientifico Valdemaro Vecchi for reporting this issue.

2014-04-04 discussionschinese.apple.com

A server configuration issue was addressed. We would like to acknowledge Riaz Ebrahim (linkedin.com/pub/riaz-ebrahim-cissp-ceh/3b/347/383) for reporting this issue.

2014-04-02 support.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Krishna Chaitanya Kadaba (@1kadaba) for reporting this issue.

2014-03-26 ep.sap.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Guillaume Buttet from Switzerland (facebook.com/guillaume.buttet) for reporting this issue.

2014-03-25 icloud.com

A cross-site scripting issue was addressed. We would like to acknowledge Allan Jay Tomol of OrangeApps for reporting this issue.

2014-03-21 info.apple.com/export/

A cross-site scripting issue was addressed. We would like to acknowledge Ketan Sirigiri of Cigniti Technologies Ltd. for reporting this issue.

2014-03-21 edeuroweb.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Ibrahim Raafat (@RaafatSEC) of Q-CERT, Florindarck (@QuisterTow) of Romanian Security Team (rstforums.com), Wong Chieh Yie (@wcypierrenet), and Danalachi Sergiu for reporting this issue.

2014-03-20 acn-members.apple.com

A clickjacking issue was addressed. We would like to acknowledge Chandroliya Ravi Ghanashyam bhai (@ChandroliyaRavi) for reporting this issue.

2014-03-19 canadaapp.apple.com

A server configuration issue was addressed. We would like to acknowledge Simone Memoli (Simon90_Italy) of Italian Security Team and Muhammad Shahzad for reporting this issue.

2014-03-18 qtdevseed.apple.com

An Apache configuration issue was addressed. We would like to acknowledge Simone Memoli of Liceo Scientifico Valdemaro Vecchi for reporting this issue.

2014-03-14 apple.com

A cross-site scripting issue was addressed. We would like to acknowledge an anonymous researcher for reporting this issue.

2014-03-14 apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Olivier Beg of lanaru.com for reporting this issue.

2014-03-11 apple.com

A Flash cross-domain policy issue was addressed. We would like to acknowledge Osama Mahmood (@OsamaMahmood007) of Team Cyber Switch for reporting this issue.

2014-03-03 depot.info.apple.com

A server configuration issue was addressed. We would like to acknowledge Indrajith AN (facebook.com/indrajith.cyberXdestroyer) for reporting this issue.

2014-03-03 depot.info.apple.com

A reflected cross-site scripting issue was addressed. We would like to acknowledge Sky_BlaCk of Team G410 for reporting this issue.

2014-02-28 topsy.com

A cross-site scripting issue was addressed. We would like to acknowledge Christian Galeone (thefacebook.com/christian.galeone.1) of ITCL Marco Polo - Bari for reporting this issue.

2014-02-26 edu-vpp.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Jean Pascal Pereira of secbiz.org for reporting this issue.

2014-02-16 bugreport.apple.com

A clickjacking issue was addressed. We would like to acknowledge Sahil Dhar (facebook.com/dhar66) and Paras Pilani (@cool_paras) for reporting this issue.

2014-02-15 bugreport.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge N B Sri Harsha (nbsriharsha.blogspot.in) and Pedro Caixeta de Castro (linkedin.com/in/pedrocaixetac) reporting this issue.

2014-02-14 discussionskorea.apple.com/people

A cross-site scripting issue was addressed. We would like to acknowledge Ali Hassan Ghori of AHPT, Babar Khan Akhunzada of AHPT, Ehraz Ahmed (@tweetehrazahmed), Umraz Ahmed (@umrazahmed), and Charaf Anons (@CharafAnons) for reporting this issue.

2014-02-13 consultants.apple.com

An insecure cookie issue was addressed. We would like to acknowledge Memon Faisal (facebook.com/faiz.memon14) of SCET for reporting this issue.

2014-02-12 consultants.apple.com

A clickjacking issue was addressed. We would like to acknowledge Jigar Thakkar (@jigarthakkar39) of infobittechnologies.com and Nitin Goplani of Aujas Networks for reporting this issue.

2014-02-12 identity.apple.com

An XML external entity issue was addressed. We would like to acknowledge Nassim Abbaoui (@MetalnaS) for reporting this issue.

2014-02-11 hopstop.com

A cross-site scripting issue was addressed. We would like to acknowledge Memon Faisal (facebook.com/faiz.memon14) of SCET for reporting this issue.

2014-02-10 hopstop.com

A cross-site scripting issue was addressed. We would like to acknowledge Indrajith AN and KD Divakar for reporting this issue.

2014-02-08 aoschat.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge David Hoyt of Hoyt LLC (xss.cx) for reporting this issue.

2014-02-08 aoschat.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Vaibhuv Sharma (facebook.com/vaibhuv.sharma) of Pc-S3curity (pc-s3curity.com/), Vansh Sharma (facebook.com/vanshsharma95) of Pc-S3curity (pc-s3curity.com/), Evan Ricafort of evanricafort.com, and kminthant (@psxchotic) for reporting this issue.

2014-02-03 info.apple.com

An HTTP header injection issue was addressed. We would like to acknowledge Ishan Anand (Zero-Access, facebook.com/zero.access999) for reporting this issue.

2014-02-03 trailers.apple.com

An SQL injection issue was addressed. We would like to acknowledge Andrei Neculaesei (algorithm.dk) for reporting this issue.

2014-02-03 topsy.com

An Apache configuration issue was addressed. We would like to acknowledge Waqeeh Ul Hasan of SOftProweb (softproweb.blogspot.com/) for reporting this issue.

2014-01-29 hopstop.com

A cross-site scripting issue was addressed. We would like to acknowledge Memon Faisal (facebook.com/faiz.memon14) of SCET for reporting this issue.

2014-01-27 discussionskorea.apple.com

An out-of-date software issue was addressed. We would like to acknowledge Muhammad Shahmeer of Maads Security and UIT for reporting this issue.

2014-01-27 volume.itunes.apple.com

A clickjacking issue was addressed. We would like to acknowledge Chandroliya Ravi Ghanashyam bhai (@ChandroliyaRavi) for reporting this issue.

2014-01-27 discussions.apple.com

A stored cross-site scripting issue was addressed. We would like to acknowledge Enguerran Gillier of OpnSec.com for reporting this issue.

2014-01-23 topsy.com

A cross-site scripting issue was addressed. We would like to acknowledge Jacob Soo (@Gunther_AR) of ARTeam for reporting this issue.

2014-01-15 discussions.apple.com

A cross-site scripting issue was addressed. We would like to acknowledge Juan Broullón Sampedro of Grampus Team, J Muhammed Gazzaly - @gazly (gazzaly.info), David Eusebius Georgian (facebook.com/eusebiu.david.16), and Charaf Anons (@CharafAnons) for reporting this issue.

2014-01-14 airprint.apple.com

An Apache configuration issue was addressed. We would like to acknowledge Simone Memoli (Simon90_Italy) of Toxic Security Team for reporting this issue.

2014-01-13 plus.topsy.com

Reflected cross-site scripting issues were addressed. We would like to acknowledge Koutrouss Naddara (facebook.com/superbade) for reporting these issues.

2014-01-09 lists.apple.com

An SSL configuration issue was addressed. We would like to acknowledge Thomas Bartelmess of Marketcircle and Aaron Golding Brager (@getaaron) for reporting these issues.

2014-01-07 training.apple.com/schedule/aperture101

A cross-site scripting issue was addressed. We would like to acknowledge Shubham Upadhyay (@CyberShubhaM) of Advanced TechDefence, Simon Claudiu of Liceul Teoretic Bogdan Voda, and Sandeep Singh Rehal for reporting this issue.

2014-01-06 consultants.apple.com

A blind SQL injection issue was addressed. We would like to acknowledge Burak Bakir (@pr3d1c7) of burakb.net for reporting this issue.

Web Server notifications by year

For information about Apple Web Server notifications from previous years, see these documents:

Information about products not manufactured by Apple, or independent websites not controlled or tested by Apple, is provided without recommendation or endorsement. Apple assumes no responsibility with regard to the selection, performance, or use of third-party websites or products. Apple makes no representations regarding third-party website accuracy or reliability. Risks are inherent in the use of the Internet. Contact the vendor for additional information. Other company and product names may be trademarks of their respective owners.

Published Date: