A new zero-day vulnerability in Mozilla Firefox allows malicious web sites to forge authentication cookies for certain web sites.
The problem lies in the way Firefox handles writes to ´location.hostname´ DOM property, says Michal Zalewski, an independent security researcher.
According to Zalewski, it is possible for a malicious script to set the value of the hostname property that would not be accepted as a hostname when parsing a regular URL.
Doing this prompts a peculiar behavior: internally, DOM string variables are not NULL-terminated, and as such, most of checks will consider ´evil.comx00foo.example.com´ to be a part of *.example.com domain. The DNS resolver, however, and much of the remaining browser code, operates on ASCII strings native to C/C++ instead, treating the aforementioned example as ´evil.com´.
This makes it possible for evil.com to modify location.hostname as described above, and have the resulting HTTP request still sent to evil.com. Once the new page is loaded, the attacker will be able to set cookies for *.example.com; he´ll be also able to alter document.domain accordingly, in order to bypass the same-origin policy for XMLHttpRequest and cross-frame / cross-window data access.
The vulnerability affects Firefox version 220.127.116.11, but it is likely also to affect older versions.