You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

You are here: Known Vulnerabilities in Mozilla Products (Firefox > MFSA 2007-07

Mozilla Foundation Security Advisory 2007-07

Title: Embedded nulls in location.hostname confuse same-domain checks
Impact: High
Announced: February 23, 2007
Reporter: Michal Zalewski
Products: Firefox, SeaMonkey

Fixed in: Firefox
  SeaMonkey 1.0.8


Michal Zalewski demonstrated that setting location.hostname to a value with embedded null characters can confuse the browsers domain checks. Setting the value triggers a load, but the networking software reads the hostname only up to the null character while other checks for "parent domain" start at the right and so can have a completely different idea of what the current host is.

This cannot be used for a direct same-origin violation to perform cross-site scripting: those checks are performed on the complete hostname including the nulls. However, other mechanisms rely on matching parent domains and those can be fooled by this trick. For example, this flaw allows a malicious page to set domain cookies for any arbitrary site, which might be useful in a session-fixation attack. This also allows setting document.domain to any arbitrary value which could be used to perform a cross-site scripting attack against any page which also sets document.domain.


Disable JavaScript until a fixed version can be installed.