Closed Bug 213012 Opened 21 years ago Closed 21 years ago

relative URLs can violate cookie path restrictions

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dveditz, Assigned: darin.moz)

References

Details

(Keywords: fixed1.4.1)

Attachments

(4 files)

quick and dirty patch, replaces %2E or %2e in the path with . and then does the usual stuff
1.24 KB, patch
dveditz
: review+
darin.moz
: superreview+
Details | Diff | Splinter Review
same patch as before but against 1.4
2.10 KB, patch
dveditz
: review+
darin.moz
: superreview+
mkaply
: approval1.4.1+
Details | Diff | Splinter Review
i18n safe trunk patch
1.51 KB, patch
Details | Diff | Splinter Review
i18n safe 1.4 patch
2.64 KB, patch
Details | Diff | Splinter Review 
Netscape received the following report from Martin O'Neal. In short, a URL like
http://x.com/victim/%2E%2E/evil/hack.html is incorrectly able to read cookies
with the path set to "/victim".

If a literal ".." is used then Mozilla coalesces the path before matching
against cookies, with the result that "/victim" will not match "/evil". Some
servers (Netscape's NES, for example) will not accept %2E%2E as a relative path,
but others (e.g. Apache) do. We should not depend on the server implementation
for our security, the coalescing code should treat %2e as a '.'

On the other hand, our Same-origin policy means /evil/hack.html could open
/victim/target.html in a frame and take the cookies through the DOM. But the
described hack does not require javascript.

----------Report follows-----------------
Issue details:
-- Overview --

The cookie specifications detail a path argument 
that can be used to restrict the areas of a host 
that will be exposed to a cookie. By using 
standard encoding techniques this functionality 
can be subverted, potentially exposing the cookie 
to scrutiny and use in further attacks.


-- Analysis --

The cookie standard is formally defined in 
RFC2965 [1]. This makes reference to the optional 
path argument that allows a cookie originator to 
specify “the subset of URLs on the origin server 
to which this cookie applies” [1].

Many of the user agents appear to function by 
simply matching the initial part of the requested 
URL, so by using a combination of relative paths 
and standard encoding techniques the path 
restriction functionality can be subverted. 

Where this becomes useful is in conducting 
attacks against the session cookies of an 
application that does not suffer from any 
exploitable input validation flaws, but that 
shares the same server environment with one that 
does.


-- Example --

For this example we shall imagine that our secure 
application shares a host with some sample files 
that were installed at the same time as the web 
server. Obviously, this would never happen in a 
live production environment (pauses to insert 
tongue firmly in cheek).

The secure application is located within 
the “/secure” folder and sets the cookie path 
argument to “/secure” which is intended to 
restrict the cookie information from being 
exposed elsewhere on the same host.

The attacker knows that the secure application 
has no useable vulnerabilities in itself and can 
also see that the cookie that it sets has the 
path restricted. They also know that the sample 
files have an exploitable XSS flaw that would 
give them access to the all-important session 
cookies (if they can get a valid user to access 
it; a completely different problem to solve).

By using a crafted URL they can bypass the path 
restriction intended by the originator and get 
the valid users browser to expose the session 
cookie to the sample application. 


-- Recommendations --

The cookie path functionality of the affected 
user agents should be revised to ensure that they 
work as intended and cannot be bypassed by 
encoding techniques.


-- Escalation --

>From initial analysis, it appears this style of 
flaw might be widespread across various agents. 
If this is confirmed as being so, then we will 
most likely need to coordinate a public release 
across vendors.
I'm wondering if this is really a cookie bug, or something we should fix in the
various implementations of nsIURI... currently, cookies just calls
nsIURI::GetPath and then matches that against a stored string. So, if the nsIURI
impls coalesced the path in this case, I don't think there'd be a problem. Comments?

thanks for filing this dveditz!
I'm getting a feeling of deja vu here - haven't we seen this before? theres bug
114018, but I thought we had something on the .. thing too. Maybe I'm
misremembering.
dveditz and i thought about making net_CoalesceDirsAbs (in nsURLHelper.cpp)
treat %2E equivalently to a simple unescaped '.'
Should we also watch out for %2F==/ just in case? The two servers we tested
wouldn't act on that equivalence, and it *is* in the restricted set (unlike '.')
so arguably we shouldn't have to.
bbaetz: bug 114018 doesn't seem relevant, did you mean another?
Now that I have access to this bug (bugzilla is strange sometimes) repeating
what I mailed before:

RFC 2396 says:

   2.3. Unreserved Characters

   Data characters that are allowed in a URI but do not have a reserved
   purpose are called unreserved.  These include upper and lower case
   letters, decimal digits, and a limited set of punctuation marks and
   symbols.

      unreserved  = alphanum | mark

      mark        = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"

   Unreserved characters can be escaped without changing the semantics
   of the URI, but this should not be done unless the URI is being used
   in a context that does not allow the unescaped character to appear.



A "." can be escaped without changing the semantics of the url. For that reason
I think we should change CoalesceDirs in a way that it also recognizes %2E and
%2e as . For example we can do a replace of %2E or %2e to "." at the beginning
of CoalesceDirs and then use the usual algorithm.

But please do not watch out for %2F .. doing so would change the semantics of
the url, usually %2F is used to hide a slash that is for example part of a
directory or filename. Looking for %2F would have really strange effects.

Searching bugzilla comments for %2e%2e turned up bug 41571 and bug 182176.
Should we not do the same thing in net_CoalesceDirsAbs?
That function does not exist anymore, see bug 207298 for details or update your
tree ;-)

But of course, if you want this fix in 1.4x or 1.5a you must do this patch on
net_coalesceDirsAbs and net_coalesceDirsRel instead.

Comment on attachment 128080 [details] [diff] [review]
quick and dirty patch, replaces %2E or %2e in the path with . and then does the usual stuff

since no one instantly objected to this quick fix, requesting reviews
Attachment #128080 - Flags: superreview?(darin)
Attachment #128080 - Flags: review?(dveditz)
Comment on attachment 128080 [details] [diff] [review]
quick and dirty patch, replaces %2E or %2e in the path with . and then does the usual stuff

this looks good to me.	thanks andreas!  sr=darin
Attachment #128080 - Flags: superreview?(darin) → superreview+
Attachment #128429 - Flags: superreview?(darin)
Attachment #128429 - Flags: review?(dveditz)
Attachment #128429 - Flags: superreview?(darin) → superreview+
There is a potential i18n problem with this change. If the URL contained  
escaped multibyte-sequences, the straightforward-conversion of %2E to '.' 
might corrupt the URL.

A multibyte-sequence starts with a non-ASCII character, but the trailing bytes
can be 7-bit ASCII and therefore one of them might be 0x2E.

This can probably be prevented if the URL will be unescaped as whole. 

The conversion shouldn't affect the intepretation -- the server gets %2e and
converts it to '.', or we send it the '.' directly. Either way if it's part of a
multi-byte sequence it should be combinable with the previous character.  We
only strip out the dots if after conversion there are one or two in a row
bounded by slashes which is never going to be a multibyte sequence.
Comment on attachment 128080 [details] [diff] [review]
quick and dirty patch, replaces %2E or %2e in the path with . and then does the usual stuff

r=dveditz
Attachment #128080 - Flags: review?(dveditz) → review+
Comment on attachment 128429 [details] [diff] [review]
same patch as before but against 1.4

r=dveditz
Attachment #128429 - Flags: review?(dveditz) → review+
I agree with Dan here. If %2E would be "IsDBCSLeadByte" we would have a problem,
but as far as I know it isn't.
Comment on attachment 128429 [details] [diff] [review]
same patch as before but against 1.4

should this also be fixed for 1.0.x?
Attachment #128429 - Flags: approval1.4.x?
Thinking again about what Asaf Amit said, if the first byte is "IsDBCSLeadByte"
and the following chars are "%2E" ("%" being the other byte) we would destroy
that by replacing "%2E" with ".". Does this make sense?


    
    

    
  
hmm... when net_CoalesceDirs is called from BuildNormalizedSpec, the input
string will have any non-ASCII characters (or possibly non-UTF8 characters
depending on preferences) URL-escaped.  so, there cannot be an unescaped DBCS
lead byte passed to net_CoalesceDirs when invoked from BuildNormalizedSpec. 
likewise, since the input/output of nsIURI::resolve must be a UTF-8 string, the
input to net_CoalesceDirs will not contain an unescaped DBCS lead byte.  so, i
think the original patches are i18n safe.

    
    

    
  
In return this would mean that that code in coalesceDirs is old cruft that can
be removed when conveniant.

    
    

    
  
literal '%' is not a valid URL character. If you were really trying to enter a
path with "<2ndByte-%>2e" in it you should escape it as %252e.

    
    

    
  
fix checked in on trunk
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 128429 [details] [diff] [review]
same patch as before but against 1.4

Please check the appropriate patch into 1.4.

Thanks

        Attachment #128429 -
        Flags: approval1.4.x? → approval1.4.x+

    
    

    
  
fix also checked in into the 1.4 branch

    
  
Keywords: fixed1.4.1

    
  
Blocks: 224532

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: