Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 166945 - www-client/mozilla-firefox(-bin) Cookie Manipulation CVE-2007-0981
Summary: www-client/mozilla-firefox(-bin) Cookie Manipulation CVE-2007-0981
Status: RESOLVED DUPLICATE of bug 165555
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: A4 [ebuild] Executioner
Depends on: 167276
  Show dependency tree
Reported: 2007-02-15 01:41 UTC by Executioner
Modified: 2007-02-23 15:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Executioner 2007-02-15 01:41:23 UTC
There is a serious vulnerability in Mozilla Firefox, tested with,
but quite certainly affecting all recent versions.

The problem lies in how Firefox handles writes to the 'location.hostname'
DOM property. It is possible for a script to set it to values that would
not otherwise be accepted as a hostname when parsing a regular URL -
including a string containing \x00.

Doing this prompts a peculiar behavior: internally, DOM string variables
are not NUL-terminated, and as such, most of checks will consider
'\' to be a part of * domain. The
DNS resolver, however, and much of the remaining browser code, operates on
ASCIZ strings native to C/C++ instead, treating the aforementioned example
as ''.

This makes it possible for to modify location.hostname as
described above, and have the resulting HTTP request still sent to Once the new page is loaded, the attacker will be able to set
cookies for *; he'll be also able to alter document.domain
accordingly, in order to bypass the same-origin policy for XMLHttpRequest
and cross-frame / cross-window data access.

A quick demonstration is available here:

If you want to confirm a successful exploitation, check Tools -> Options
-> Privacy -> Show Cookies... for after the test; for the demo
to succeed, the browser needs to have Javascript enabled, and must accept
session cookies.

The impact is quite severe: malicious sites can manipulate authentication
cookies for third-party webpages, and, by the virtue of bypassing
same-origin policy, can possibly tamper with the way these sites are
displayed or how they work.


Reproducible: Didn't try
Comment 1 Executioner 2007-02-16 06:57:43 UTC
Comment 2 Stuart Longland (RETIRED) gentoo-dev 2007-02-16 11:13:56 UTC
I wasn't able to reproduce the bug, since Squid would step in and give me an "Invalid URL" error... however, I've hopefully addressed the problem with this patch:

The upstream development team have already applied this patch to their tree -- it'll appear in the next release of Firefox.

Could people try mozilla-firefox- and report back?  If the problem is fixed, then I'll add arches and get it pushed to stable.  (And I'll be testing on MIPS very shortly)
Comment 3 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2007-02-17 15:38:03 UTC
It works on x86.
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-17 23:43:36 UTC
Hi Stuart, do you plan to release a mozilla-firefox-bin- too?
Comment 5 Executioner 2007-02-18 08:09:09 UTC
Looks like its fixed with 

According to

v.fixed on both branches with:
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv: Gecko/20070215
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv: Gecko/20070216
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2007-02-18 11:26:26 UTC
(In reply to comment #4)
> Hi Stuart, do you plan to release a mozilla-firefox-bin- too?

Being a bin it's impossible to apply a patch :) For -bin we'll have to wait to the release, which is now rc4, so it should be out soon.
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-23 15:49:48 UTC
This Firefox release will be handled on bug 165555 which is older.

*** This bug has been marked as a duplicate of bug 165555 ***