Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Steal/spoof arbitrary cookie in Mozilla

Steal/spoof arbitrary cookie in Mozilla

by Nikola Strahija on July 25th, 2002 Software: Mozilla Vendor: http://www.mozilla.org Fix: The author has been working with Mozilla to produce a patch. Problem is fixed in Mozilla 1.1 Beta released 02-07-22. Workaround: Preferences->Advanced->Scripts & Plugins-> Disable access to cookies using javascript Impact: Steal/spoof arbitrary cookie using javascript: URLs Author: Andreas Sandblad, [email protected]


BACKGROUND:
===========

I orginally thought this was a XSS (cross site scripting) issue, but soon
came to the conclusion that it is limited to a design error in restricting
access to cookies. Even though Mozilla is open source, I have not been
studying the source code in order to find and exploit the vulnerability.

In the beginning I had problems not generating any javascript errors when
using the javascript URL. My first solution was to make the host and path
to be a valid javascript expression. Google.com may be a valid expression
if google is an object and com is an element/variable of the Google
object. Further on if Google.com is an int, it is legal to use google.com/
1. Parsing of host and path will stop when a space is found.

Well, I soon found a much easier solution. Simply put a // in front of the
host and path and a n before the cookie reading code accour. The reason
why I didn't find this directly was because the newline must be created in
a javascript function. It can't be set directly in a javascript url.


DESCRIPTION:
============

Mozilla allows script in the javascript protocoll to set and read cookies.
For javascript URLs the host and path for the cookie is pulled out as:
"javascript:[host][path]"

Cookie security is based only on restricting access to correct matching
host and path. By carefully crafting a mallicious javascript URL opened in
a new frame/iframe/window, it is possible to access and alter cookies from
other domains.


DETAILS:
========

The easiest way to exploit the vulnerability is to simply create a
javascript URL in a javascript function as:
javascript://[host]/[path]n[code to read cookie]
The // will make sure host and path don't generate any javascript errors.




Disclaimer:
===========
Andreas Sandblad is not responsible for the misuse of the
information provided in this advisory. The opinions expressed
are my own and not of any company. In no event shall the author
be liable for any damages whatsoever arising out of or in
connection with the use or spread of this advisory. Any use of
the information is at the user's own risk.


Old advisories:
===============
#8 [2002-07-23] "Pressing CTRL in IE is dangerous"
http://online.securityfocus.com/archive/1/283866
#7 [2002-05-19] "IE dot bug"
http://online.securityfocus.com/archive/1/273168
#6 [2002-05-15] "Opera javascript protocoll vulnerability"
http://online.securityfocus.com/archive/1/272583
#5 [2002-04-26] "Mp3 file can execute code in Winamp."
http://online.securityfocus.com/archive/1/269724
#4 [2002-04-15] "Using the backbutton in IE is dangerous."
http://online.securityfocus.com/archive/1/267561


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »