Multiple vendor Web browsers bypass cookie path restriction

web-browser-cookie-bypass (15424) The risk level is classified as MediumMedium Risk

Description:

Multiple vendor Web browsers could allow a remote attacker to bypass a cookie's path restriction functionality, which specifies a cookie's subset of URLs to which it is restricted. By sending a specially-crafted request containing directory traversal sequences, a remote attacker could bypass this restriction and obtain sensitive information from a cookie.

Platforms Affected:

  • Apple, Safari
  • Debian, Debian Linux 3.0
  • KDE, KDE
  • KDE, Konqueror Embedded
  • MandrakeSoft, Mandrake Linux 9.1
  • MandrakeSoft, Mandrake Linux 9.1 PPC
  • MandrakeSoft, Mandrake Linux 9.2 AMD64
  • MandrakeSoft, Mandrake Linux 9.2
  • Microsoft, Internet Explorer
  • Mozilla, Mozilla
  • Opera, Opera
  • RedHat, Enterprise Linux 2.1 WS
  • RedHat, Enterprise Linux 2.1 AS
  • RedHat, Enterprise Linux 2.1 ES
  • RedHat, Enterprise Linux 2.1 AW
  • RedHat, Enterprise Linux 3 WS
  • RedHat, Enterprise Linux 3 ES
  • RedHat, Enterprise Linux 3 AS
  • RedHat, Linux 9.0
  • RedHat, Linux Advanced Workstation 2.1 Itanium
  • SCO, SCO OpenServer 5.0.7
  • SuSE, SuSE Linux 9.0
  • SuSE, SuSE Linux Connectivity Server
  • SuSE, SuSE Linux Database Server
  • SuSE, SuSE Linux Enterprise Server 7.0
  • SuSE, SuSE Linux Office Server

Remedy:

For Red Hat Linux:
Upgrade to the latest kdelibs package, as listed below. Refer to RHSA-2004:075-05 for more information. See References.

Red Hat Linux 9: 3.1-13 or later

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest kdelibs (4:2.2.2-13.woody.9 or later), as listed in DSA-459-1. See References.

For Mandrake Linux 9.1:
Upgrade to the latest kdelibs package (3.1-58.3.91mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2004:022 : kdelibs. See References.

For Mandrake Linux 9.2:
Upgrade to the latest mozilla package (1.4-13.2.92mdk or later), as listed in MandrakeSoft Security Advisory MDKSA-2004:021 : mozilla . See References.

Note: Reportedly, many vendors have fixed this vulnerability in versions released since July 2003. Contact your Web browser vendor for more information.

For Red Hat Linux 9:
Upgrade to the latest mozilla package (1.4.2-0.9.0 or later), as listed in RHSA-2004:112-09. See References.

For Red Hat Linux:
Upgrade to the latest mozilla package, as listed below. Refer to RHSA-2004:110-20 for more information. See References.

Red Hat Enterprise Linux AS (v. 2.1), ES (v. 2.1), WS (v. 2.1), and Advanced Workstation for the Itanium Processor: (v. 1.4.2-2.1.0 or later)

For Red Hat Linux:
Upgrade to the latest mozilla package, as listed below. Refer to RHSA-2004:110-20 for more information. See References.

Red Hat Enterprise Linux AS (v. 3), ES (v. 3), and WS (v. 3): (1.4.2-3.0.2 or later)

For SCO OpenServer 5.0.7:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory SCOSA-2004.8. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Bypass Security

References:

  • CIAC Information Bulletin 0-106, Mozilla 1.4.2 Vulnerabilities at http://www.ciac.org/ciac/bulletins/o-106.shtml.
  • Full-Disclosure Mailing List, Wed Mar 10 2004 - 07:12:16 CST, Multiple vendor HTTP user agent cookie path traversal issue at http://archives.neohapsis.com/archives/fulldisclosure/2004-03/0407.html.
  • SCO Security Advisory SCOSA-2004.8, OpenServer 5.0.7 : Mozilla Multiple issues at http://www.linuxsecurity.com/advisories/caldera_advisory-4588.htmlhttp://www.linuxsecurity.com/content/view/106277/98/.
  • BID-9323: Mozilla Browser Cookie Path Restriction Bypass Vulnerability
  • BID-9330: Mozilla URI Sub-Directory Arbitrary Cookie Access Vulnerability
  • BID-9841: Multiple Vendor Internet Browser Cookie Path Argument Restriction Bypass Vulnerability
  • CVE-2003-0513: Microsoft Internet Explorer allows remote attackers to bypass intended cookie access restrictions on a web application via %2e%2e (encoded dot dot) directory traversal sequences in a URL, which causes Internet Explorer to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.
  • CVE-2003-0514: Apple Safari allows remote attackers to bypass intended cookie access restrictions on a web application via %2e%2e (encoded dot dot) directory traversal sequences in a URL, which causes Safari to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.
  • CVE-2003-0592: Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via %2e%2e (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.
  • CVE-2003-0593: Opera allows remote attackers to bypass intended cookie access restrictions on a web application via %2e%2e (encoded dot dot) directory traversal sequences in a URL, which causes Opera to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.
  • CVE-2003-0594: Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via %2e%2e (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.
  • DSA-459: kdelibs -- cookie path traversal
  • MDKSA-2004:021: Updated mozilla packages fix multiple vulnerabilities
  • MDKSA-2004:022: Updated kdelibs packages fix cookie theft vulnerability
  • RHSA-2004-074: kdelibs security update
  • RHSA-2004-075: Updated kdelibs packages resolve cookie security issue
  • RHSA-2004-110: mozilla security update
  • RHSA-2004-112: Updated Mozilla packages fix security issues
  • SA9680: Multiple Browser Cookie Path Directory Traversal Vulnerability
  • SECTRACK ID: 1010121: (HP Issues Fix for HP-UX) Mozilla Cookie Path Restrictions Can Be Bypassed By Remote Servers
  • SUSE-SA:2004:007: openssl: remote denial-of-service

Reported:

Mar 10, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page