Apple patched a bug in Safari which was reported to the Apple security team by Billy (BK) Rios. The impact of the bug was listed as a vulnerability that could “cause files from the user’s system to be sent to a remote server”.
Safari has a built-in RSS/Feed processor which takes RSS files and transforms them into a format that is easily readable. It’s important to understand that the XML content of the file being provided to the feed URL is not the same as the output markup that will be displayed by Safari’s built-in feed reader. Safari takes bits of content from the RSS file and mixes it with some built-in markup. One can try browsing a RSS feed with Firefox and do a quick view source. Then one can try browsing to the same URL with Safari and view source. One can view drastic differences in the HTML markup between the two browser (the raw XML vs Safari’s transform).
When transforming the original XML file to a format that can be displayed by Safari’s internal feed reader, Safari also attempts to sanitize the XML file to prevent the execution of user/attacker controlled JavaScript. This sanitization is done because JavaScript executed under the feed:// protocol has access to the local file system and is NOT subject to the same origin policy. This bug bypassed these sanitization routines, giving an attacker the ability to execute arbitrary JavaScript under the feed protocol.
More information can be viewed here :- http://xs-sniper.com/blog/2010/08/02/stealing-files-with-safari-5-cve-2010-1778/
