SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Netscape Vendors:   America Online, Inc.
Netscape Navigator document.domain Interpretation Flaw Discloses Information From Arbitrary Domains
SecurityTracker Alert ID:  1006679
SecurityTracker URL:  http://securitytracker.com/id/1006679
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 30 2003
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 7.02
Description:   A domain security vulnerability was reported in the Netscape Navigator browser. A remote user can create HTML that will access information from arbitrary domains.

Liu Die Yu reported a flaw in how the browser determines the appropriate security domain in certain cases. When a URL for a particular domain name followed by a period "." is loaded, the browser will ignore the trailing period when loading the page but will incorrectly determine the document.domain property. A remote user can create HTML that, when loaded on a target user's browser, will be able to access information (such as cookies) from a different security domain.

To trigger the vulnerability, a remote user can create HTML located a URL of the following format:

http://[Domain]./[DirectoryName]/[FileName]

When the HTML is loaded on the target user's browser, the browser will determine that the "document.domain" property is "[Domain].". If the HTML contains Javascript that sets the document.domain value to an empty string, the browser will then calculate the document.domain value to be "[DirectoryName]". If the directory name on the remote server is of the form "w.[TargetDomain]", then the scripting code will be able to access information within the target domain, including authentication cookies.

A demonstration exploit is available at:

http://liudieyuinchina.vip.sina.com/DomainDot/DomainDot-MyPage.htm

Impact:   A remote user can create HTML that, when loaded by the target user, will be able to obtain information from the target user's browser belonging to an arbitrary domain.
Solution:   No solution was available at the time of this entry.
Vendor URL:  channels.netscape.com/ns/browsers/download.jsp (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  "netscape navigator" is cracked.




##################
#
#  Readers' Favorite - Make Notes in Your Browser today!
#  http://liudieyuinchina.vip.sina.com/domex/aPoP/
#  http://domex.int.tc/
#
##################


"netscape navigator" is cracked.
("that's all" is end of file if you are in a hurry)

[tested]
OS:Windows Server 2003 Enterprise
Browser: "Netscape Navigator 7.02"
"Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.0.2) Gecko/20030208 
Netscape/7.02 "


[demo]
at
http://liudieyuinchina.vip.sina.com/DomainDot/DomainDot-MyPage.htm
or
http://umbrella.mx.tc ==> "DomainDot-MyPage" section


[screenshot]
at
http://liudieyuinchina.vip.sina.com/DomainDot/DomainDot-Screenshot.htm
or
http://umbrella.mx.tc ==> "DomainDot-Screenshot" section


[exp]
URL "http://[Domain]./[DirectoryName]/[FileName]"(one more dot 
after "[Domain]") will actually navigate your browser to:
"http://[Domain]/[DirectoryName]/[FileName]".
then "document.domain" is "[Domain]."(one more dot in "document.domain").

try to execute javascript:
[CODE.JAVASCRIPT]document.domain=""

after being set to an empty string, document.domain is auto-caculated to 
be [DirectoryName].
of course, "[DirectoryName]" can be "www.paypal.com", but you still cannot 
access document at "www.paypal.com" by just having "www.paypal.com" 
as "document.domain".

now, you make "document.domain" to be "w.www.paypal.com", then set it 
to "www.paypal.com". 
you can access document at "www.paypal.com" now.


that's all.


[how]
do you still remember "IE dot bug"?
( http://online.securityfocus.com/archive/1/273168/2002-05-18/2002-05-
24/0 )

they are so similar, aren't they?


[gean]
i hope you'll get well soon!


[people]
wish you all a nice day!

greetings to:
Sandblad(the guy who found "IE dot bug"), "the Pull", dror( 
http://www.drorshalev.com/ ), bin, gean, dross and iainm.


##################
#
#  Readers' Favorite - Make Notes in Your Browser today!
#  http://liudieyuinchina.vip.sina.com/domex/aPoP/
#  http://domex.int.tc/
#
##################

-----
all mentioned stuff can always be found at:
Umbrella: MaX TeCh

http://umbrella.mx.tc


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC