SECURITY.NNOV: accessing cookies via ftp

Type securityvulns
Reporter Securityvulns
Modified 2001-10-15T00:00:00


Hello bugtraq,

Article below describes a vulnerability that can be treated as either software vulnerability or specific server configuration problem depending on your point of view. Many servers on Internet are affected by this problem though.

Topic: accessing cookies via ftp Affected Software: all versions of Netscape/Mozilla Author: 3APA3A <> Risk: Low Remotely Exploitable: Yes Impact: depending on server configuration cookie set by server can be retrieved by hostile side from client Vendor URL: SECURITY.NNOV advisories:


Mozilla doesn't store information about protocol used to receive cookie and allows cookie to be handled in documents received via FTP. This allows document located on FTP site to access cookie, if it was set by same HTTP site. Since FTP doesn't allow virtual servers and some ftp sites allow anonymous document upload it causes danger of unauthorized access to cookies. Probably secure cookies set via secured protocol are not affected by this problem. Internet Explorer probably is not affected.


Attack is possible in next conditions:

  1. FTP and HTTP coexists in same domain (as defined in RFC 2965)
  2. Attacker has write access to FTP (via /incoming or via FTP account).

Example of attack scenario: uses cookie to store user's account information. There is also with /incoming directory allowing anonymous access physically located on the same host In this case can be accessed anonymously for writing (attack is also possible if and are located on different hosts, but sets cookie for domain as many servers do).

  1. Attacker composes trojaned HTML (malware.html) with javascript which sends document.cookie to predefined URL.
  2. He downloads this document to
  3. He sends e-mail with redirect to to user (for example it can be <META REFRESH> tag)
  4. Then user opens message he is redirected to malware.html which sends user's cookie to URL specified by attacker.

In case there is no anonymous access to FTP, but attacker has FTP account he can use URL

Additional Information:



Disable /incoming for your FTP site if your WEB site (or co-located sites) use cookies with private information.

-- /\_/\ { . . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)