Sun iPlanet two-part TLD security hole

Just found the following gem in code from Sun's iPlanet mail package [1]. This is a webmail/messaging/whatever system aimed at big institutions such as universities (licence: "minimum 1000 users, $20 per user").



if (IE >= 4 && (i = s.indexOf('.') + 1) != 0 && a=='false') {

s = s.substring(i, s.length)

if (s.indexOf('.') != -1)

document.domain = s

}

What does this mean?

What this bit of code does is to set the document.domain property to the last two parts of the domain name. This is done to enable interaction between JavaScripts from various sub-domains, such as http://www.sun.com and java.sun.com. When document.domain is set to the last two parts of the name, such as "document.domain = 'sun.com'" JavaScripts from these two servers may interact.

Why is this a problem?

Imagine an institution running a website with a two-part top-level domain such as .co.uk . If they buy the iPlanet package and deploy it, the script above will run every time a user logs into their webmail, setting the domain of the document to co.uk! This means that the poor person's webmail could be accessed by JavaScript from any website that ends in .co.uk ..

I've seen this code on <webmail.utu.fi> (where it does no harm, btw) and I hope this is an outdated version of iPlanet and that this issue has been fixed. There does not seem to be any way I can tell what version is used..

If you are a user or administrator of an iPlanet system feel free to complain to Sun and refer to this post.

[1] iPlanet messenger home: <http://www.sun.com/software/products/messaging_srvr/home_messaging.xml>

Advertisements

3 thoughts on “Sun iPlanet two-part TLD security hole

  1. :yikes: Woah :yikes:

    "This means that the poor person's webmail could be accessed by JavaScript from any website that ends in .co.uk .."

    The real security issue is not so much the fact that a tiny bit of JavaScript doesn't handle these kind of (sub-) domains properly.

    Unless you're on crack, why would you want to use a piece of software that relies on *clientside* security?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s