Computer Security
[EN] no-pyccku

Topic:                    accessing cookies via ftp
Affected Software:        all versions of Netscape/Mozilla
Author:                   3APA3A <[email protected]>
Risk:                     Low
Remotely Exploitable:     Yes
Impact:                   depending on server configuration
                          cookie   set  by  server  can  be
                          retrieved  by  hostile  side  from
Vendor URL:     
SECURITY.NNOV advisories:


Mozilla  doesn't  store  information  about protocol used to
receive  cookie and allows cookie to be handled in documents
received  via  FTP. This allows document located on FTP site
to access cookie, if it was set by same HTTP site. Since FTP
doesn't  allow  virtual  servers  and  some  ftp sites allow
anonymous  document  upload it causes danger of unauthorized
access  to  cookies. Probably secure cookies set via secured
protocol are not affected by this problem. Internet Explorer
probably is not affected.


Attack is possible in next conditions:

1.  FTP  and HTTP coexists in same domain (as defined in RFC
2.   Attacker  has write access to FTP (via /incoming or via
    FTP account).

Example of attack scenario:   uses  cookie  to  store  user's
account  information.  There  is  also
with   /incoming   directory   allowing   anonymous  access
physically  located  on  the  same host In this
case  can  be  accessed
anonymously   for  writing  (attack  is  also  possible  if  and  are  located  on
different  hosts,  but  sets cookie for domain as many servers do).

1.  Attacker  composes  trojaned  HTML  (malware.html)  with
javascript which sends document.cookie to predefined URL.
2.      He      downloads      this      document     to
3.     He     sends     e-mail     with    redirect    to        to  user  (for  example  it  can  be  <META
4. Then user opens message he is  redirected to malware.html
which sends user's cookie to URL specified by attacker.

In  case  there  is no anonymous access to FTP, but attacker
has       FTP       account       he       can      use URL
ftp://account:[email protected]/incoming/malware.html

Additional Information:



Disable  /incoming  for  your  FTP site if your WEB site (or
co-located sites) use cookies with private information.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod