Computer Security
[EN] no-pyccku

Related information

  Доступ к HTTP-cookie через FTP в Mozilla (unauthorized access)

From:3APA3A <3APA3A_(at)>
Subject:SECURITY.NNOV: accessing cookies via ftp

Hello bugtraq,

Article  below describes a vulnerability that can be treated
as   either   software   vulnerability  or  specific  server
configuration  problem  depending on your point of view.
Many  servers  on  Internet  are  affected  by  this problem

Topic:                    accessing cookies via ftp
Affected Software:        all versions of Netscape/Mozilla
Author:                   3APA3A <[email protected]>
Risk:                     Low
Remotely Exploitable:     Yes
Impact:                   depending on server configuration
                         cookie   set  by  server  can  be
                         retrieved  by  hostile  side  from
Vendor URL:     
SECURITY.NNOV advisories:


Mozilla  doesn't  store  information  about protocol used to
receive  cookie and allows cookie to be handled in documents
received  via  FTP. This allows document located on FTP site
to access cookie, if it was set by same HTTP site. Since FTP
doesn't  allow  virtual  servers  and  some  ftp sites allow
anonymous  document  upload it causes danger of unauthorized
access  to  cookies. Probably secure cookies set via secured
protocol are not affected by this problem. Internet Explorer
probably is not affected.


Attack is possible in next conditions:

1.  FTP  and HTTP coexists in same domain (as defined in RFC
2.   Attacker  has write access to FTP (via /incoming or via
   FTP account).

Example of attack scenario:   uses  cookie  to  store  user's
account  information.  There  is  also
with   /incoming   directory   allowing   anonymous  access
physically  located  on  the  same host In this
case  can  be  accessed
anonymously   for  writing  (attack  is  also  possible  if  and  are  located  on
different  hosts,  but  sets cookie for domain as many servers do).

1.  Attacker  composes  trojaned  HTML  (malware.html)  with
javascript which sends document.cookie to predefined URL.
2.      He      downloads      this      document     to
3.     He     sends     e-mail     with    redirect    to        to  user  (for  example  it  can  be  <META
4. Then user opens message he is  redirected to malware.html
which sends user's cookie to URL specified by attacker.

In  case  there  is no anonymous access to FTP, but attacker
has       FTP       account       he       can      use URL
ftp://account:[email protected]/incoming/malware.html

Additional Information:



Disable  /incoming  for  your  FTP site if your WEB site (or
co-located sites) use cookies with private information.

       { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
You know my name - look up my number (The Beatles)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod