Sun iPlanet two-part TLD security hole
Sunday, 20. February 2005, 11:03:21
Just found the following gem in code from Sun's iPlanet mail package [1]. This is a webmail/messaging/whatever system aimed at big institutions such as universities (licence: "minimum 1000 users, $20 per user").
if (IE >= 4 && (i = s.indexOf('.') + 1) != 0 && a=='false') {
s = s.substring(i, s.length)
if (s.indexOf('.') != -1)
document.domain = s
}
What does this mean?
What this bit of code does is to set the document.domain property to the last two parts of the domain name. This is done to enable interaction between JavaScripts from various sub-domains, such as www.sun.com and java.sun.com. When document.domain is set to the last two parts of the name, such as "document.domain = 'sun.com'" JavaScripts from these two servers may interact.
Why is this a problem?
Imagine an institution running a website with a two-part top-level domain such as .co.uk . If they buy the iPlanet package and deploy it, the script above will run every time a user logs into their webmail, setting the domain of the document to co.uk! This means that the poor person's webmail could be accessed by JavaScript from any website that ends in .co.uk ..
I've seen this code on <webmail.utu.fi> (where it does no harm, btw) and I hope this is an outdated version of iPlanet and that this issue has been fixed. There does not seem to be any way I can tell what version is used..
If you are a user or administrator of an iPlanet system feel free to complain to Sun and refer to this post.
[1] iPlanet messenger home: <http://www.sun.com/software/products/messaging_srvr/home_messaging.xml>
if (IE >= 4 && (i = s.indexOf('.') + 1) != 0 && a=='false') {
s = s.substring(i, s.length)
if (s.indexOf('.') != -1)
document.domain = s
}
What does this mean?
What this bit of code does is to set the document.domain property to the last two parts of the domain name. This is done to enable interaction between JavaScripts from various sub-domains, such as www.sun.com and java.sun.com. When document.domain is set to the last two parts of the name, such as "document.domain = 'sun.com'" JavaScripts from these two servers may interact.
Why is this a problem?
Imagine an institution running a website with a two-part top-level domain such as .co.uk . If they buy the iPlanet package and deploy it, the script above will run every time a user logs into their webmail, setting the domain of the document to co.uk! This means that the poor person's webmail could be accessed by JavaScript from any website that ends in .co.uk ..
I've seen this code on <webmail.utu.fi> (where it does no harm, btw) and I hope this is an outdated version of iPlanet and that this issue has been fixed. There does not seem to be any way I can tell what version is used..
If you are a user or administrator of an iPlanet system feel free to complain to Sun and refer to this post.
[1] iPlanet messenger home: <http://www.sun.com/software/products/messaging_srvr/home_messaging.xml>
WIDGETIZE
Remco Brink aka flow # 20. February 2005, 11:03
"This means that the poor person's webmail could be accessed by JavaScript from any website that ends in .co.uk .."
The real security issue is not so much the fact that a tiny bit of JavaScript doesn't handle these kind of (sub-) domains properly.
Unless you're on crack, why would you want to use a piece of software that relies on *clientside* security?
qicai02 # 2. June 2006, 04:57
qicaispace # 7. July 2006, 14:39