Closed Bug 388097 Opened 17 years ago Closed 15 years ago

null-domain cookies possible (malicious cookie swapping)

Categories

(Core :: Networking: Cookies, defect)

1.8 Branch
defect
Not set
minor

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: lcamtuf, Unassigned)

Details

(Keywords: privacy, Whiteboard: [sg:needinfo] can't repro?)

It is possible for sites to produce cookies null-domain cookies, by specifying document.cookie="...;domain=." for example from within javascript: or data: windows:

open("javascript:document.cookie='foo=bar;domain=.';alert(document.cookie)","_blank");

Luckily for us (and contrary to what could be expected), these cookies are not sent to all sites, but can be accessed by other domain-less windows; specifying other domains won't work (or, at the very least, I couldn't find a way to do it), and extra periods will be trimmed. Entries with null domain are properly handled when writing to and reading from cookies.txt. 

I thought it's worth reporting because a) this could be used to greatly simplify tracking users (cookies stored this way can be read by any site that knows where to look); b) I'm not entirely convinced this couldn't be turned into a more interesting attack vector given a more thorough analysis.
Component: Security → Networking: Cookies
Flags: blocking1.8.1.6?
Keywords: privacy
Product: Firefox → Core
QA Contact: firefox → networking.cookies
Whiteboard: [sg:low] tracking at least, worse?
Version: 2.0 Branch → 1.8 Branch
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.7?
(In reply to comment #0)
> Entries with null domain are properly
> handled when writing to and reading from cookies.txt. 

hmm, can you elaborate (maybe paste the relevant lines from cookies.txt)?

i've been looking into this but can't see offhand where the problem is in the codepath; the dot test should catch this and reject the cookie... unless the host URI is somehow blank as well, that could do it...
I can't reproduce this bug (FireFox 2.0.11) no matter what I try (JavaScript).  I don't see it being marked as "fixed", nor do a I see a reference in any of the changelogs.

The initial report indicates you actually could set null-domain cookies.  Can you still?

My test code is fairly straightforward.  It works until I add the null-domain bit.  It does work with a not-null domain.

<html><head><title>Cookie Test</title>
<script type="text/javascript">function createCookie() { document.cookie = "Domainless=Done; domain=."; }</script>
</head>
<body onLoad="createCookie();">Cookie Test Page</body></html>

So was this fixed somewhere, or am I missing something stupid?
assuming the reporter was using a recent 2.0.0.x release, we haven't taken any fixes that would affect this, afaik...
I can't get this to work in either a current shipping 3.0 nor an old Firefox 2.0.0.3 which predates this report. I can get "domainless" cookies from a file URI (expected, no host for file:) but I can't get a literal '.' domain to work from any web site, not even the newly-created "about:blank" pages used in comment 0.
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: wanted1.8.1.x+
Resolution: --- → WORKSFORME
Whiteboard: [sg:low] tracking at least, worse? → [sg:needinfo] can't repro?
You need to log in before you can comment on or make changes to this bug.