CVE-2004-0867 in Internet Explorer
Summary
by MITRE
Mozilla Firefox 0.9.2 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user s HTTP session. NOTE: it was later reported that 2.x is also affected.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/11/2025
The vulnerability described in CVE-2004-0867 represents a critical cookie handling flaw in Mozilla Firefox version 0.9.2 that extends beyond the initial reported scope to include version 2.x. This security issue stems from Firefox's improper validation of country-specific top-level domains when processing HTTP cookie attributes. The flaw specifically affects domains ending in suffixes such as .ltd.uk, .plc.uk, and .sch.uk which are legitimate British domain extensions but were incorrectly treated by the browser's cookie management system. The vulnerability arises from the browser's failure to properly enforce cookie domain restrictions, allowing malicious websites to set cookies that would normally be restricted to specific domain hierarchies.
The technical implementation of this vulnerability enables attackers to exploit the cookie domain validation mechanism by crafting cookie domain attributes that bypass normal security boundaries. When a web application attempts to set a cookie for a country-specific domain, Firefox incorrectly processes the domain validation logic, permitting cookies to be set for broader domain hierarchies than intended. This misconfiguration creates an opportunity for session fixation attacks where an attacker can establish a known session identifier on a victim's browser. The flaw specifically targets the HTTP cookie specification compliance and demonstrates a failure in the browser's domain matching algorithm, which should normally prevent cookies from being set for domains outside the user's intended scope.
The operational impact of this vulnerability is significant as it enables sophisticated session hijacking attacks that can compromise user authentication and authorization. An attacker can leverage this weakness to maintain persistent access to user sessions by setting malicious cookies that persist across different web applications or services. The vulnerability's scope extends to any web application that relies on HTTP cookies for session management, making it particularly dangerous in environments where users access multiple services through the same browser. This issue directly violates the fundamental security principle of domain isolation and can lead to complete session compromise, potentially allowing attackers to impersonate users and access sensitive information or perform unauthorized transactions on behalf of victims.
The vulnerability aligns with CWE-294, which addresses authentication bypass through session fixation, and represents a specific implementation flaw in the cookie handling subsystem that falls under the ATT&CK technique T1566 for credential access through session hijacking. Organizations affected by this vulnerability should immediately update to patched versions of Firefox, as the issue affects multiple versions of the browser and demonstrates a fundamental flaw in how the browser processes cookie domain attributes. The recommended mitigation strategy includes applying the latest security patches from Mozilla, implementing additional cookie security measures such as secure and httponly flags, and monitoring for suspicious cookie behavior in web application logs. Security teams should also consider implementing network-based monitoring to detect potential exploitation attempts and establish proper cookie domain validation policies to prevent similar issues in other browser implementations or web applications that may exhibit similar behavior patterns.