Bugtraq mailing list archives
Re: Evil Cookies.
From: sinster () BALLTECH NET (Jon Paul, Nollmann)
Date: Sat, 5 Feb 2000 10:18:31 -0800
Sprach Joachim Feise <jfeise () ICS UCI EDU>:
a) Why would Netscape Communicator 4.7 accept a cookie like this (invalid -- only two periods): .com.au TRUE / FALSE 1264987602 CyberTargetAnonymous NMN000CDCF833FA08963E9BDBC6CAA59301Because you are looking at the wrong spec. RFC 2109 (http://www.ietf.org/rfc/rfc2109.txt) is the followup work to the Netscape cookie spec. According to that RFC, this cookie is valid.
Umm. I've been working on a web site that involves cookies for about half a year now. Originally we coded our cookies to the rfc2109 spec, and discovered that (apparently) there are no existing browsers which support them. Specifically, the Max-Age field was the tripping stone (rfc2109 disallows the use of the Expires field, and replaces it with a Max-Age field, see section 4.2.2 -- yes, we use HTTP/1.1 throughout). We tried all versions of Internet Explorer on the PC and Macintosh, all versions of Netscape from 4.08 through 4.7 (and a beta 5.0) on Win95 and Linux, one of the AOL browsers (I have no clue which version), and Opera 3.60.0.286 on Win95. It doesn't help that every browser we tested which claims (in the protocol) to use HTTP/1.1 violates the spec in one or more ways. We have yet to find a browser that supports rfc2109 cookies. If I had to guess at the original problem mentioned in this thread, I'd say that .com.au actually does have 3 dots in it. The real domain is .com.au. (notice the trailing dot). All FQDNs end in a trailing dot. However, that clearly violates the intent behind the restriction. On the other hand, bugs in the domain verification of cookies are dirt common, so this could be allowed because it's a bug. -- Jon Paul Nollmann ne' Darren Senn sinster () balltech net Unsolicited commercial email will be archived at $1/byte/day. "Even a fool, when he holdeth his peace, is counted wise." Proverbs 17:28
Current thread:
- Re: Tempfile vulnerabilities Dug Song (Jan 31)
- <Possible follow-ups>
- Re: Tempfile vulnerabilities foo (Jan 31)
- Re: Tempfile vulnerabilities Grant Taylor (Jan 31)
- Re: Tempfile vulnerabilities Theo de Raadt (Feb 01)
- Microsoft Security Bulletin (MS00-007) Aleph One (Feb 01)
- Re: Tempfile vulnerabilities Werner Koch (Feb 02)
- Re: Tempfile vulnerabilities Theo de Raadt (Feb 02)
- Evil Cookies. Iain Wade (Feb 02)
- UPDATE: Sygate 3.11 Port 7323 Telnet Hole jalerta () nestworks com (Feb 03)
- Re: Evil Cookies. Joachim Feise (Feb 03)
- Re: Evil Cookies. Jon Paul, Nollmann (Feb 05)
- Reminder: BOF on Distributed DoS, San Jose 2/7/00 David Kennedy CISSP (Feb 06)
- Infosec.20000207.axis700.a Vitek, Ian (Feb 07)
- Re: Evil Cookies. Thomas Reinke (Feb 04)
- Re: Evil Cookies. Dylan Griffiths (Feb 07)
- 'cross site scripting' CERT advisory and MS Eric Lecht (Feb 08)
- Re: 'cross site scripting' CERT advisory and MS Dustin Miller (Feb 09)
- Re: 'cross site scripting' CERT advisory and MS David LeBlanc (Feb 10)
- Re: 'cross site scripting' CERT advisory and MS Marc Slemko (Feb 11)
- Re: 'cross site scripting' CERT advisory and MS Rishi Lee Khan (Feb 14)
- Packet Tracing (linux klog patch) Dragos Ruiu (Feb 12)