Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:2094
HistoryOct 15, 2001 - 12:00 a.m.

SECURITY.NNOV: accessing cookies via ftp

2001-10-1500:00:00
vulners.com
27
JSON

Hello bugtraq,

Article below describes a vulnerability that can be treated
as either software vulnerability or specific server
configuration problem depending on your point of view.
Many servers on Internet are affected by this problem
though.

Topic: accessing cookies via ftp
Affected Software: all versions of Netscape/Mozilla
Author: 3APA3A <[email protected]>
Risk: Low
Remotely Exploitable: Yes
Impact: depending on server configuration
cookie set by server can be
retrieved by hostile side from
client
Vendor URL: http://www.mozilla.org
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories

Description:

Mozilla doesn't store information about protocol used to
receive cookie and allows cookie to be handled in documents
received via FTP. This allows document located on FTP site
to access cookie, if it was set by same HTTP site. Since FTP
doesn't allow virtual servers and some ftp sites allow
anonymous document upload it causes danger of unauthorized
access to cookies. Probably secure cookies set via secured
protocol are not affected by this problem. Internet Explorer
probably is not affected.

Details:

Attack is possible in next conditions:

  1. FTP and HTTP coexists in same domain (as defined in RFC
    2965)
  2. Attacker has write access to FTP (via /incoming or via
    FTP account).

Example of attack scenario:

http://webmail.example.com uses cookie to store user's
account information. There is also ftp://ftp.example.com
with /incoming directory allowing anonymous access
physically located on the same host 192.168.1.1. In this
case ftp://webmail.example.com/incoming can be accessed
anonymously for writing (attack is also possible if
webmail.example.com and ftp.example.com are located on
different hosts, but webmail.example.com sets cookie for
example.com domain as many servers do).

  1. Attacker composes trojaned HTML (malware.html) with
    javascript which sends document.cookie to predefined URL.
  2.  He      downloads      this      document     to

ftp://ftp.example.com/incoming
3. He sends e-mail with redirect to
ftp://webmail.example.com/incoming/malware.html to
webmail.example.com user (for example it can be <META
REFRESH> tag)
4. Then user opens message he is redirected to malware.html
which sends user's cookie to URL specified by attacker.

In case there is no anonymous access to FTP, but attacker
has FTP account he can use URL
ftp://account:[email protected]/incoming/malware.html

Additional Information:

See: http://bugzilla.mozilla.org/show_bug.cgi?id=90644

Workaround:

Disable /incoming for your FTP site if your WEB site (or
co-located sites) use cookies with private information.


http://www.security.nnov.ru
/\_/\
{ . . } |\
±-oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A }
±------------o66o–+ /
|/
You know my name - look up my number (The Beatles)

JSON