× Few antiviral products inadequately detect 3proxy as Trojan.Daemonize, Backdoor.Daemonize, etc and many detect 3proxy as a PUA (potentially unwanted program). It may cause browser warning on download page. 3proxy is not trojan or backdoor and contains no functionality except described in documentation. Clear explanation of this fact is given, for example, in Microsoft's article.

Topic:                    accessing cookies via ftp
Affected Software:        all versions of Netscape/Mozilla
Author:                   3APA3A <[email protected]>
Risk:                     Low
Remotely Exploitable:     Yes
Impact:                   depending on server configuration
                          cookie   set  by  server  can  be
                          retrieved  by  hostile  side  from
Vendor URL:               http://www.mozilla.org
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories


Mozilla  doesn't  store  information  about protocol used to
receive  cookie and allows cookie to be handled in documents
received  via  FTP. This allows document located on FTP site
to access cookie, if it was set by same HTTP site. Since FTP
doesn't  allow  virtual  servers  and  some  ftp sites allow
anonymous  document  upload it causes danger of unauthorized
access  to  cookies. Probably secure cookies set via secured
protocol are not affected by this problem. Internet Explorer
probably is not affected.


Attack is possible in next conditions:

1.  FTP  and HTTP coexists in same domain (as defined in RFC
2.   Attacker  has write access to FTP (via /incoming or via
    FTP account).

Example of attack scenario:

http://webmail.example.com   uses  cookie  to  store  user's
account  information.  There  is  also ftp://ftp.example.com
with   /incoming   directory   allowing   anonymous  access
physically  located  on  the  same host In this
case   ftp://webmail.example.com/incoming  can  be  accessed
anonymously   for  writing  (attack  is  also  possible  if
webmail.example.com  and  ftp.example.com  are  located  on
different  hosts,  but  webmail.example.com  sets cookie for
example.com domain as many servers do).

1.  Attacker  composes  trojaned  HTML  (malware.html)  with
javascript which sends document.cookie to predefined URL.
2.      He      downloads      this      document     to
3.     He     sends     e-mail     with    redirect    to
ftp://webmail.example.com/incoming/malware.html        to
webmail.example.com  user  (for  example  it  can  be  <META
4. Then user opens message he is  redirected to malware.html
which sends user's cookie to URL specified by attacker.

In  case  there  is no anonymous access to FTP, but attacker
has       FTP       account       he       can      use URL
ftp://account:[email protected]/incoming/malware.html

Additional Information:

See: http://bugzilla.mozilla.org/show_bug.cgi?id=90644


Disable  /incoming  for  your  FTP site if your WEB site (or
co-located sites) use cookies with private information.