Mozilla Foundation Security Advisory 2007-07

Embedded nulls in location.hostname confuse same-domain checks

Announced
February 23, 2007
Reporter
Michal Zalewski
Impact
High
Products
Firefox, SeaMonkey
Fixed in
  • Firefox 1.5.0.10
  • Firefox 2.0.0.2
  • SeaMonkey 1.0.8

Description

Michal Zalewski demonstrated that setting location.hostname to a value with embedded null characters can confuse the browsers domain checks. Setting the value triggers a load, but the networking software reads the hostname only up to the null character while other checks for "parent domain" start at the right and so can have a completely different idea of what the current host is.

This cannot be used for a direct same-origin violation to perform cross-site scripting: those checks are performed on the complete hostname including the nulls. However, other mechanisms rely on matching parent domains and those can be fooled by this trick. For example, this flaw allows a malicious page to set domain cookies for any arbitrary site, which might be useful in a session-fixation attack. This also allows setting document.domain to any arbitrary value which could be used to perform a cross-site scripting attack against any page which also sets document.domain.

Workaround

Disable JavaScript until a fixed version can be installed.

References