[Am-info] Netscape/Mozilla Null Character Cookie Stealing Vulnerability

Mon, 28 Jan 2002 14:30:32 -0500

Mozilla is a popular, freely available, open-source web browser. It runs
on most Linux and Unix variants, as well as MacOS and Microsoft Windows
9x/ME/NT/2000/XP operating systems. Netscape is another popular
web-browser product which runs on the same platforms as Mozilla.

An issue has been discovered in Mozilla and Netscape which may allow an
attacker to steal cookie-based authentication credentials from a user 
of a vulnerable web browser. The problem is in the handling of NULL 
(%00) characters in URLs.

It is possible for an attacker to read cookie-based authentication
credentials that are stored on a web user's system for any domain. The
attacker simply creates a malicious link that contains the hostname of a
server under their control, followed by a NULL character, followed by 
the domain the attacker wishes the steal cookies for. Browsing the 
malicious link causes the web user to connect to the hostname specified 
in the first part of the link.  The server can then access cookies set 
for the domain that was placed in the URL after the NULL byte.

This issue may only be exploited to steal cookies set for a domain, as
opposed to cookies set for a specific host in that domain. Cookies set
with the secure flag can be stolen if the attacker uses SSL.

- -- 
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8VabYIhTtc6nTZIIRAr90AKCOEPShv/SIqTit8QxMBNoAQB8O2QCfRUat
M4nyMc4x8agewQXnwQrbY0Q=
=1pZ7
-----END PGP SIGNATURE-----