CVE-2004-0867
Description
Mozilla Firefox allows cookies to be set for country-specific top-level domains like .ltd.uk, enabling session fixation attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mozilla Firefox allows cookies to be set for country-specific top-level domains like .ltd.uk, enabling session fixation attacks.
Vulnerability
Mozilla Firefox 0.9.2 (and later versions up to 2.x as reported) permits web sites to set cookies for country-specific second-level domains such as .ltd.uk, .plc.uk, and .sch.uk [1]. These domains are effectively public suffixes, but the browser's cookie domain validation does not treat them as such, allowing arbitrary domains to set cookies for a wide range of subdomains under these suffixes. This affects the cookie policy as described in RFC 2109 [2].
Exploitation
A remote attacker can set a cookie for a vulnerable public suffix (e.g., .ltd.uk) from any web site, and this cookie will be sent to all hosts under that suffix when the user visits them. The attacker does not need authentication or any special network position beyond being able to serve a web page that the victim views. By setting a session identifier cookie for the public suffix, the attacker can perform a session fixation attack: the victim's subsequent requests to any site under that suffix will include the attacker-controlled cookie, potentially overriding the legitimate session [1][3].
Impact
Successful exploitation allows the attacker to hijack a victim's HTTP session on any web site that uses the vulnerable public suffix domain. This leads to disclosure or manipulation of sensitive data within the scope of the affected domain. The impact depends on the specific site's functionality, but could include identity theft, data theft, or unauthorized actions on behalf of the victim [1].
Mitigation
Mozilla addressed this issue in Firefox by improving cookie domain checks to reject public suffixes such as .co.uk and .ltd.uk. The fix was tracked in Bugzilla bug 252342 and resolved as fixed in later releases [3]. Users should upgrade to a version of Firefox beyond 2.x that includes the corrected domain validation logic. No workaround is available for unpatched versions.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
28cpe:2.3:a:kde:konqueror:2.1.1:*:*:*:*:*:*:*+ 17 more
- cpe:2.3:a:kde:konqueror:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:3.0.5b:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:kde:konqueror:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:6.0:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:0.9.2:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:0.9.2:*:*:*:*:*:*:*
- (no CPE)range: <=2
cpe:2.3:o:suse:suse_linux:1.0:*:desktop:*:*:*:*:*+ 4 more
- cpe:2.3:o:suse:suse_linux:1.0:*:desktop:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux:8.1:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux:8.2:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux:8:*:enterprise_server:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux:9.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7News mentions
0No linked articles in our index yet.