Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Browser)  >   Mozilla Browser Vendors:
Mozilla Cookie Path Restrictions Can Be Bypassed By Remote Servers
SecurityTracker Alert ID:  1009364
SecurityTracker URL:
CVE Reference:   CVE-2003-0594   (Links to External Site)
Updated:  Aug 30 2004
Original Entry Date:  Mar 10 2004
Impact:   Disclosure of authentication information, Disclosure of user information
Exploit Included:  Yes  

Description:   A vulnerability was reported in Mozilla in the processing of cookies. A remote user may be able to bypass the path restrictions specified by a cookie's originator. Several other browsers are also affected.

Corsaire reported that a remote user (server) can employ a combination of path traversal and encoding techniques to bypass cookie path restrictions in the target user's browser.

Malicious software on a server can obtain cookies from the target user's browser that should be restricted to a separate application path on the same server.

A demonstration exploit URL format is provided:


In the above example format, the 'insecure.cgi' application can obtain cookies that are ostensibly restricted to the '/secure' path.

The affected vendors were reportedly notified between July 12 and July 18, 2003.

Impact:   A remote server application can obtain cookies from the target user's browser for the same domain but regardless of the path restrictions.
Solution:   No solution has been publicly disclosed at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 11 2004 (Mandrake Issues Fix) Mozilla Cookie Path Restrictions Can Be Bypassed By Remote Servers
Mandrake has issued a fix.
Mar 18 2004 (Red Hat Issues Fix for RH Linux) Mozilla Cookie Path Restrictions Can Be Bypassed By Remote Servers
Red Hat has released a fix for Red Hat Linux 9.
Apr 15 2004 (Red Hat Issues Fix for RH Enterprise Linux) Mozilla Cookie Path Restrictions Can Be Bypassed By Remote Servers
Red Hat has released a fix for Red Hat Enterprise Linux 2.1 and 3.
Apr 30 2004 (HP Issues Fix for Tru64) Mozilla Cookie Path Restrictions Can Be Bypassed By Remote Servers
HP issues fix for HP Tru64 UNIX.
May 11 2004 (HP Issues Fix for HP-UX) Mozilla Cookie Path Restrictions Can Be Bypassed By Remote Servers
HP has issued a fix for HP-UX.

 Source Message Contents


-- Corsaire Security Advisory --

Title: Multiple vendor HTTP user agent cookie path traversal issue
Date: 12.07.03
Application: Various
Environment: Various
Author: Martin O'Neal []
Audience: Vendor notification
Reference: c030712-001

-- Scope --

The aim of this document is to clearly define a vulnerability in the
cookie handling functionality of multiple vendors HTTP user agents that
would allow an attacker to avoid the path restrictions specified by a
cookie's originator.

-- History --

Discovered: 08.07.03
Vendors notified: 12.07.03 - 18.07.03
RFC2965 authors notified: 29.07.03
CERT/CC notified: 20.08.03
Uncoordinated Opera release: 05.09.03
NISCC notified: 24.10.03
Document released: 10.03.04

-- Overview --

The cookie specifications detail a path argument that can be used to
restrict the areas of a host that will be exposed to a cookie. By using
standard traversal techniques this functionality can be subverted,
potentially exposing the cookie to scrutiny and use in further attacks.

-- Analysis --

The cookie standard is formally defined in RFC2965 [1]. This makes
reference to the optional path argument that allows a cookie originator
to specify "the subset of URLs on the origin server to which this cookie

Many of the user agents appear to function by simply string matching the
initial part of the requested URL, so by using a combination of
traversal and standard encoding techniques the path restriction
functionality can be subverted.

Where this oversight becomes useful is in conducting attacks against the
session cookies of an application that does not suffer from any
exploitable validation flaws, but that shares the same server
environment with one that does.

It is worth acknowledging that whilst many client applications still
suffer from "same origin" issues then this is something of a moot point

-- Proof of concept --

This proof of concept is known to work with the current releases of the
major browsers.

For this example we shall imagine that our secure application shares a
host with some sample files that were installed at the same time as the
web server. Obviously, this would never happen in a live production
environment (pauses to insert tongue firmly in cheek).

The secure application is located within the "/secure" folder and sets
the cookie path argument to "/secure" which is intended to restrict the
cookie information from being exposed elsewhere on the same host.

The attacker knows that the secure application has no useable
vulnerabilities in itself and can also see that the cookie that it sets
has the path restricted. They also know that the sample files have an
exploitable XSS flaw that would give them access to the all-important
session cookies (if they can get a valid user to access it; a completely
different problem to solve).

A lot of browsers will make a URI canonical before passing it to the
target server, resolving any redundant directory traversal prior to
dispatch. By using an encoded URL the attacker can defeat this
functionality, bypass the path restriction intended by the originator
and get the valid users browser to expose the session cookie to the
sample application:


-- Recommendations --

The cookie path functionality of the affected user agents should be
revised to ensure that they work as intended and cannot be bypassed by
traversal and encoding techniques.

Many of the vendors involved have silently patched this issue in product
releases made after July 2003. Check with the individual vendor for
additional information.

-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned
multiple names to this issue:

CAN-2003-0513 Microsoft Internet Explorer cookie path traversal issue
CAN-2003-0514 Apple Safari cookie path traversal issue
CAN-2003-0592 KDE Konqueror cookie path traversal issue
CAN-2003-0593 Opera cookie path traversal issue
CAN-2003-0594 Mozilla cookie path traversal issue

These are candidates for inclusion in the CVE list, which standardises
names for security problems (,

-- References --


-- Revision --

a. Initial release.
b. Minor revision.
c. Amended history section.
d. Amended history section.
e. Amended recommendations section.
f. Released.

-- Distribution --

This security advisory may be freely distributed, provided that it
remains unaltered and in its original form.

-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.

Copyright 2003 Corsaire Limited. All rights reserved.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC