turn_on68
03-10-2004, 10:17 AM
TITLE:
Multiple Browser Cookie Path Directory Traversal Vulnerability
SECUNIA ADVISORY ID:
SA9680
VERIFY ADVISORY:
http://secunia.com/advisories/9680/
CRITICAL:
Less critical
IMPACT:
Security Bypass
WHERE:
From remote
SOFTWARE:
Opera 5.x
Mozilla Thunderbird 0.x
Mozilla 1.6
Mozilla 1.5
Mozilla 1.4
Mozilla 1.3
Mozilla 1.2
Mozilla 1.1
Mozilla 1.0
Mozilla 0.x
Microsoft Internet Explorer 6
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.01
Konqueror Embedded
Konqueror 3.x
KDE 3.x
KDE 2.x
Opera 6.x
Opera 7.x
Safari 1.x
DESCRIPTION:
Corsaire has discovered a vulnerability in multiple vendors'
browsers, which can be exploited by malicious people to bypass
certain cookie restrictions.
A website can use a path argument for cookies in order to restrict
the areas on the website for which a cookie applies and information
therefore is exposed to.
However, it is possible to bypass the path restrictions specified by
the cookie's originator due to validation errors in multiple
browsers, which can be exploited via classic directory traversal
character sequences.
This can potentially expose sensitive information stored in cookies
associated with certain restricted sections of a site to malicious
people, if e.g. a resource on the website outside the restricted area
is vulnerable to cross-site scripting attacks.
Example:
http://[host]/restricted_area/%2e%2e/directory/insecure.cgi?xss=<script_code>
SOLUTION:
Many of the vendors involved have reportedly patched the issue
silently in product releases made after July 2003. Users are
therefore advised to update to the latest version of the affected
products.
The advisory will be updated with further information when details
about fixed versions are acquired.
Opera browser:
The vulnerability has been fixed in version 7.20 beta 7 and later.
PROVIDED AND/OR DISCOVERED BY:
Martin O'Neal of Corsaire.
ORIGINAL ADVISORY:
Corsaire:
http://www.corsaire.co.uk/advisories/c030712-001.txt
----------------------------------------------------------------------
Multiple Browser Cookie Path Directory Traversal Vulnerability
SECUNIA ADVISORY ID:
SA9680
VERIFY ADVISORY:
http://secunia.com/advisories/9680/
CRITICAL:
Less critical
IMPACT:
Security Bypass
WHERE:
From remote
SOFTWARE:
Opera 5.x
Mozilla Thunderbird 0.x
Mozilla 1.6
Mozilla 1.5
Mozilla 1.4
Mozilla 1.3
Mozilla 1.2
Mozilla 1.1
Mozilla 1.0
Mozilla 0.x
Microsoft Internet Explorer 6
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 5.01
Konqueror Embedded
Konqueror 3.x
KDE 3.x
KDE 2.x
Opera 6.x
Opera 7.x
Safari 1.x
DESCRIPTION:
Corsaire has discovered a vulnerability in multiple vendors'
browsers, which can be exploited by malicious people to bypass
certain cookie restrictions.
A website can use a path argument for cookies in order to restrict
the areas on the website for which a cookie applies and information
therefore is exposed to.
However, it is possible to bypass the path restrictions specified by
the cookie's originator due to validation errors in multiple
browsers, which can be exploited via classic directory traversal
character sequences.
This can potentially expose sensitive information stored in cookies
associated with certain restricted sections of a site to malicious
people, if e.g. a resource on the website outside the restricted area
is vulnerable to cross-site scripting attacks.
Example:
http://[host]/restricted_area/%2e%2e/directory/insecure.cgi?xss=<script_code>
SOLUTION:
Many of the vendors involved have reportedly patched the issue
silently in product releases made after July 2003. Users are
therefore advised to update to the latest version of the affected
products.
The advisory will be updated with further information when details
about fixed versions are acquired.
Opera browser:
The vulnerability has been fixed in version 7.20 beta 7 and later.
PROVIDED AND/OR DISCOVERED BY:
Martin O'Neal of Corsaire.
ORIGINAL ADVISORY:
Corsaire:
http://www.corsaire.co.uk/advisories/c030712-001.txt
----------------------------------------------------------------------