Japanese version is also available.
Summary
The security vulnerability discovered in GreaseKit and Creammonkey, which can be exploited by malicious people to send a (cross-site) HTTP request, or read/write configuration values. Please upgrade to GreaseKit 1.4.
Affected Software Versions
- GreaseKit 1.2 - 1.3
- Creammonkey 0.9 - 1.1
To verify the version number,
Creammonkey
Launch Safari and from the ":)" menu, choose "About Creammonkey".
GreaseKit
Launch Safari (or GreaseKit-enabled application) and from the "GreaseKit" or ":)" menu, choose "About GreaseKit".
Solution
The vulnerability has been fixed in GreaseKit 1.4 by reducing the functionality.
Details
GreaseKit provides 6 functions (GM_addStyle, GM_log, GM_openInTab, GM_setValue, GM_getValue and GM_xmlhttpRequest) for userscript. For security reason, these functions are not callable from a web page.
However, the vulnerability could allow an attacker to execute these functions from a web page. Successful exploitation requires that a userscript is configured to run on the malicious web page.
Contact
KATO Kazuyoshi <kzys@8-p.info>