The XSL stylesheet implementation in WebKit in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, and iPhone OS for iPod touch 1.1 through 2.2.1 does not properly handle XML external entities, which allows remote attackers to read arbitrary files via a crafted DTD, as demonstrated by a file:///etc/passwd URL in an entity declaration, related to an "XXE attack."

Related Vulnerabilities

platform vulnerability
CVE-2009-1699 qt4-x11
CVE-2009-1699 webkit
CVE-2009-1699 kde4libs