Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Доступ к HTTP-cookie через FTP в Mozilla (unauthorized access)

From:3APA3A <3APA3A_(at)_security.nnov.ru>
Date:15.10.2001
Subject:SECURITY.NNOV: accessing cookies via ftp


Hello bugtraq,

Article  below describes a vulnerability that can be treated
as   either   software   vulnerability  or  specific  server
configuration  problem  depending on your point of view.
Many  servers  on  Internet  are  affected  by  this problem
though.

Topic:                    accessing cookies via ftp
Affected Software:        all versions of Netscape/Mozilla
Author:                   3APA3A <[email protected]>
Risk:                     Low
Remotely Exploitable:     Yes
Impact:                   depending on server configuration
                         cookie   set  by  server  can  be
                         retrieved  by  hostile  side  from
                         client
Vendor URL:               http://www.mozilla.org
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories


Description:

Mozilla  doesn't  store  information  about protocol used to
receive  cookie and allows cookie to be handled in documents
received  via  FTP. This allows document located on FTP site
to access cookie, if it was set by same HTTP site. Since FTP
doesn't  allow  virtual  servers  and  some  ftp sites allow
anonymous  document  upload it causes danger of unauthorized
access  to  cookies. Probably secure cookies set via secured
protocol are not affected by this problem. Internet Explorer
probably is not affected.

Details:

Attack is possible in next conditions:

1.  FTP  and HTTP coexists in same domain (as defined in RFC
   2965)
2.   Attacker  has write access to FTP (via /incoming or via
   FTP account).

Example of attack scenario:

http://webmail.example.com   uses  cookie  to  store  user's
account  information.  There  is  also ftp://ftp.example.com
with   /incoming   directory   allowing   anonymous  access
physically  located  on  the  same host 192.168.1.1. In this
case   ftp://webmail.example.com/incoming  can  be  accessed
anonymously   for  writing  (attack  is  also  possible  if
webmail.example.com  and  ftp.example.com  are  located  on
different  hosts,  but  webmail.example.com  sets cookie for
example.com domain as many servers do).

1.  Attacker  composes  trojaned  HTML  (malware.html)  with
javascript which sends document.cookie to predefined URL.
2.      He      downloads      this      document     to
ftp://ftp.example.com/incoming
3.     He     sends     e-mail     with    redirect    to
ftp://webmail.example.com/incoming/malware.html        to
webmail.example.com  user  (for  example  it  can  be  <META
REFRESH> tag)
4. Then user opens message he is  redirected to malware.html
which sends user's cookie to URL specified by attacker.

In  case  there  is no anonymous access to FTP, but attacker
has       FTP       account       he       can      use URL
ftp://account:[email protected]/incoming/malware.html


Additional Information:

See: http://bugzilla.mozilla.org/show_bug.cgi?id=90644

Workaround:

Disable  /incoming  for  your  FTP site if your WEB site (or
co-located sites) use cookies with private information.


--
http://www.security.nnov.ru
        /\_/\
       { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                   |/
You know my name - look up my number (The Beatles)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod