Original URL: http://www.channelregister.co.uk/2007/02/15/firefox_vuln/
Firefox hands out cookies from strangers
Be careful, kids
Posted in Software & Security, 15th February 2007 02:08 GMT
Free whitepaper – What Exchange can't do - and Dell can
Firefox suffers from a flaw that allows attackers to manipulate the authentication cookies of virtually any website, a vulnerability Bugzilla has deemed severe (https://bugzilla.mozilla.org/show_bug.cgi?id=370445). It's the second major security lapse for the open-source browser in as many days.
The defect, which stems from the way Firefox writes to the "location.hostname" property of the document object model, can be exploited by a specially doctored script that sets variables that normally wouldn't be accepted when parsing a regular URL, according to researcher Michal Zalewski, who uncovered Monday's vulnerability (http://www.theregister.com/2007/02/13/browser_vulns/) as well.
By injecting text string that includes "\x00," normal safeguards can be bypassed, allowing the browser to be fooled about the origin of a domain trying to set or modify a cookie. The sleight of hand makes a victim's browser appear to be talking to trustedbank.com when in fact it is receiving data from evilhackers.com.
The attacker would also be able to change the document.domain accordingly. A demonstration of the vulnerability, which has been tested on version 2.0.0.1, is available here (http://lcamtuf.dione.cc/ffhostname.html). ®