During the last weeks I was wondering why the download counter for Suhosin-Patch was increasing so fast. Today I most probably learned the reason when I was browsing through the FreeBSD ports. For 3 weeks now Suhosin-Patch is activated in FreeBSD's PHP ports by default.

This means that every FreeBSD user that installs PHP from ports will be Suhosin-Patch protected unless he disables it. Really good news for us and really bad news for Zend, because now they have to fix Zend Optimizer. After my ignored bugreport maybe their users can force them to stop Zend Optimizer from accessing already freed memory.

httpOnly cookies are a Microsoft extension to the cookie standard. The idea is that cookies marked as httpOnly cannot be accessed from JavaScript. This was implemented to stop cookie stealing through XSS vulnerabilities. This is unlike many people believe not a way to stop XSS vulnerabilities, but a way to stop one of the possible attacks (cookie stealing) that are possible through XSS.

Unfortunately the mozilla family still refuses to implement httpOnly cookies in Firefox and therefore their newest release: Firefox 2.0 still comes without support for httpOnly cookies. Luckily an annoying bug within the Firefox internals was fixed in Firefox 2.0 which enables an extension to correctly intercept incoming and outgoing cookies. In previous Firefox versions it was not possible to intercept incoming cookies, because the Cookie header was already parsed before the examine response hook was called.

Therefore I sat down during the last hours and wrote my little httpOnly extension. This extension adds transparent httpOnly cookie support to Firefox by using a funny hack.

The idea of the extension is to create a random key in the Firefox preferences on the first startup. It then hooks the hooks for outgoing and incoming HTTP requests. It then parses all incoming cookies (for now only Set-Cookie header) and rewrites cookies marked as httpOnly. Their name gets a 'hO_' prefix and their content gets AES encrypted. The key used for this encryption is based on the key stored in the preferences and the real name of the cookie. This results in Firefox storing an encrypted cookie into it's cookie storage. Of course it is still possible for JavaScript to read this cookie, but because the content is encrypted it is not possible for malicious JavaScript to retrieve the original value. All outgoing cookies on the other hand will be processed by another hook and decrypted if they are 'hO_' prefixed.

With this little hack it is now possible to have httpOnly cookies in Firefox 2.0. You can download this little extension from here. Be warned that this was a hack of only a few hours. Therefore you should only consider it a proof of concept. However I am planning on improving it in the near future.

Update: I just uploaded the extension to addons.mozilla.org.

During the last weeks several researchers have spent their time hunting and warning people that have not read the Flash documentation carefully and therefore exposed their domains to cross domain Flash access. You will even find statistics about the number of Fortune 500 sites affected by this.

Well, I did not participate in such witchhunts, mainly because I do not consider it security research to use google to find crossdomain.xml files or to draw sweet looking statistics. On the other hand these Flash policies were interesting enough for me to test and exploit.

Therefore I researched a bit and have released a mini article about a new class of holes this obscure Flash feature pokes into web applications.

You are invited to read it here.

Today I noticed that calling Wikipedia directly with an URL like http://en.wikipedia.org/+ADw-SCRIPT+AD4-alert(/XSS/)+ADw-/SCRIPT+AD4- results in a 404 error page that contains an HTML redirect. The special thing about this page was that did not send a charset in it's content-type header.

Unfortunately several browsers can be tricked to assume UTF-7 as charset when no charset header is given by the server or from within the HTML. Because the UTF-7 encoding uses only characters usually considered safe for HTML output user input is usually not correctly escaped when it gets printed which results in Cross Site Scripting vulnerabilities.

Luckily the Wikipedia admins were ultra fast in fixing this issue. After I sent my notification email it was fixed in less than 3 hours. This is a responsetime you would like to see everytime your report a security hole.

A similar UTF-7 injection vulnerability in the popular ViewVC CVS/SVN viewer was disclosed by me today in a new Hardened-PHP Project advisory. In this advisory I also disclose the fact that the popular belief among web-application security people that this problem only affects Internet Explorer is wrong. There is a vulnerability in browsers of the Mozilla family that allows this kind of attack...

(Details will be disclosed when a fixed Firefox is released)