CVE
- Id
- 7421
- CVE No.
- CVE-2003-0594
- Status
- Candidate
- Description
- Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.
- Phase
- Modified (20100819)
- Votes
- ACCEPT(5) Armstrong, Baker, Balinsky, Cole, Cox | MODIFY(1) Frech | NOOP(1) Wall | REVIEWING(1) Christey
- Comments
- Christey> REDHAT:RHSA-2004:112 | URL:http://www.redhat.com/support/errata/RHSA-2004-112.html | Frech> XF:web-browser-cookie-bypass(15424) | http://xforce.iss.net/xforce/xfdb/15424 | Cox> Addref: REDHAT:RHSA-2004:112 | Christey> REDHAT:RHSA-2004:110 | URL:http://www.redhat.com/support/errata/RHSA-2004-110.html | Balinsky> Link in References. | CHANGE> [Christey changed vote from NOOP to REVIEWING] | Christey> Consider whether this is really a design-level problem that applies to | the interaction between any vulnerable XSS, its associated domain, and | any web browser, because browsers enforce security boundaries at the | domain level. If so, then the "%2e%2e" problem may be a red herring, | or a single attack vector of any number of vectors. | | CVE-2003-0513, CVE-2003-0514, CVE-2003-0592, CVE-2003-0593, | and CVE-2003-0594 all cover this specific issue (each for a | different browser). | Christey> HP:SSRT4722 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108448379429944&w=2 | Christey> FEDORA:FLSA:2089 | URL:http://marc.theaimsgroup.com/?l=bugtraq&m=109900315219363&w=2
