SECURITY.NNOV: accessing cookies via ftp

2001-10-15T00:00:00
ID SECURITYVULNS:DOC:2094
Type securityvulns
Reporter Securityvulns
Modified 2001-10-15T00:00:00

Description

Hello bugtraq,

Article below describes a vulnerability that can be treated as either software vulnerability or specific server configuration problem depending on your point of view. Many servers on Internet are affected by this problem though.

Topic: accessing cookies via ftp Affected Software: all versions of Netscape/Mozilla Author: 3APA3A <3APA3A@security.nnov.ru> Risk: Low Remotely Exploitable: Yes Impact: depending on server configuration cookie set by server can be retrieved by hostile side from client Vendor URL: http://www.mozilla.org SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories

Description:

Mozilla doesn't store information about protocol used to receive cookie and allows cookie to be handled in documents received via FTP. This allows document located on FTP site to access cookie, if it was set by same HTTP site. Since FTP doesn't allow virtual servers and some ftp sites allow anonymous document upload it causes danger of unauthorized access to cookies. Probably secure cookies set via secured protocol are not affected by this problem. Internet Explorer probably is not affected.

Details:

Attack is possible in next conditions:

  1. FTP and HTTP coexists in same domain (as defined in RFC 2965)
  2. Attacker has write access to FTP (via /incoming or via FTP account).

Example of attack scenario:

http://webmail.example.com uses cookie to store user's account information. There is also ftp://ftp.example.com with /incoming directory allowing anonymous access physically located on the same host 192.168.1.1. In this case ftp://webmail.example.com/incoming can be accessed anonymously for writing (attack is also possible if webmail.example.com and ftp.example.com are located on different hosts, but webmail.example.com sets cookie for example.com domain as many servers do).

  1. Attacker composes trojaned HTML (malware.html) with javascript which sends document.cookie to predefined URL.
  2. He downloads this document to ftp://ftp.example.com/incoming
  3. He sends e-mail with redirect to ftp://webmail.example.com/incoming/malware.html to webmail.example.com user (for example it can be <META REFRESH> tag)
  4. Then user opens message he is redirected to malware.html which sends user's cookie to URL specified by attacker.

In case there is no anonymous access to FTP, but attacker has FTP account he can use URL ftp://account:password@webmail.example.com/incoming/malware.html

Additional Information:

See: http://bugzilla.mozilla.org/show_bug.cgi?id=90644

Workaround:

Disable /incoming for your FTP site if your WEB site (or co-located sites) use cookies with private information.

-- http://www.security.nnov.ru /\_/\ { . . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)