CVE-2004-0871 in Mozilla
Summary
by MITRE
Mozilla does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie Injection."
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/31/2018
The vulnerability described in CVE-2004-0871 represents a critical security flaw in the Mozilla browser implementation that violates fundamental principles of web security. This issue stems from the browser's improper handling of cookie transmission across different security contexts, specifically when cookies are sent over both HTTP and HTTPS protocols within the same domain. The flaw allows for cross-security boundary cookie injection, where insecure cookies transmitted over HTTP can be inadvertently shared with secure HTTPS connections, creating a pathway for attackers to exploit the trust relationship between web applications and users.
The technical mechanism behind this vulnerability involves the cookie management system failing to properly enforce security boundaries between HTTP and HTTPS contexts. When a web application sets cookies over HTTP, the browser should not automatically transmit those same cookies when the user navigates to an HTTPS page within the same domain. However, in affected Mozilla browsers, the cookie jar was not properly isolating cookies based on their security context, allowing insecure cookies to be sent over secure channels. This behavior violates the fundamental security principle that cookies should be restricted to their originating security context, as defined in the cookie specification standards.
The operational impact of this vulnerability is severe and multifaceted, creating opportunities for session hijacking, credential theft, and unauthorized access to user accounts. Attackers can exploit this flaw by first establishing an insecure HTTP session where they can capture or set cookies, then redirect users to HTTPS pages where those same cookies are automatically transmitted. This enables attackers to impersonate legitimate users, access protected resources, and potentially escalate privileges within web applications. The vulnerability particularly affects web applications that rely on cookie-based authentication and session management, making it a significant threat to user privacy and application security. This type of attack aligns with the attack pattern described in the MITRE ATT&CK framework under credential access techniques, specifically targeting cookie manipulation and session hijacking.
The vulnerability directly corresponds to CWE-1004, which addresses the lack of proper security context awareness in cookie handling mechanisms. It also relates to CWE-310, which deals with cryptographic issues in cookie security, and CWE-295, addressing improper certificate validation that can lead to cross-security boundary issues. The security implications extend beyond simple cookie theft to encompass broader session management weaknesses that could enable more sophisticated attacks such as cross-site request forgery and man-in-the-middle attacks. Organizations using affected Mozilla browsers were particularly vulnerable during the period when this flaw existed, as users could unknowingly expose their session cookies to potentially malicious actors. The remediation typically required browser vendors to implement proper cookie security context enforcement, ensuring that cookies set over HTTP are not automatically transmitted over HTTPS connections, and vice versa, thereby maintaining the integrity of security boundaries established by the web protocol design.