CVE-2002-2013

Description

Mozilla 0.9.6 and earlier and Netscape 6.2 and earlier allows remote attackers to steal cookies from another domain via a link with a hex-encoded null character (%00) followed by the target domain.

Affected products

• Mozilla / mozilla0.9.2 – 0.9.2
• Mozilla / mozilla0.9.2.1 – 0.9.2.1
• Mozilla / mozilla0.9.3 – 0.9.3
• Mozilla / mozilla0.9.4 – 0.9.4
• Mozilla / mozilla0.9.4.1 – 0.9.4.1
• Mozilla / mozilla0.9.5 – 0.9.5
• Mozilla / mozilla0.9.6 – 0.9.6
• netscape / communicator4.0 – 4.0
• netscape / communicator4.4 – 4.4
• netscape / communicator4.5 – 4.5
• netscape / communicator4.5_beta – 4.5_beta
• netscape / communicator4.06 – 4.06
• netscape / communicator4.6 – 4.6
• netscape / communicator4.07 – 4.07
• netscape / communicator4.7 – 4.7
• netscape / communicator4.08 – 4.08
• netscape / communicator4.51 – 4.51
• netscape / communicator4.61 – 4.61
• netscape / communicator4.72 – 4.72
• netscape / communicator4.73 – 4.73
• netscape / communicator4.74 – 4.74
• netscape / communicator4.75 – 4.75
• netscape / communicator4.76 – 4.76
• netscape / communicator4.77 – 4.77
• netscape / communicator4.78 – 4.78
• netscape / navigator4.77 – 4.77
• netscape / navigator6.0 – 6.0
• netscape / navigator6.01 – 6.01
• netscape / navigator6.1 – 6.1
• netscape / navigator6.2 – 6.2

References

• MISChttp://www.securityfocus.com/bid/3925
• MISChttp://archives.neohapsis.com/archives/bugtraq/2002-01/0270.html
• MISChttp://www.iss.net/security_center/static/7973.php
• MISChttp://alive.znep.com/~marcs/security/mozillacookie/demo.html