Bugtraq mailing list archives
Re: Microsoft IE cookies readable via about: URLS
From: Peter W <peterw () usa net>
Date: Thu, 15 Nov 2001 16:39:47 -0500
** resending; the distinction between http and https cookies is significant, and this about: bug underscores the importance of using at least one "secure" cookie for extra protection ** On Thu, Nov 08, 2001 at 03:32:54PM +0200, Jouko Pynnonen wrote:
Finally, the about URL may have a hostname placed after the colon, and IE uses that hostname when determining the cookies to use: about://www.anydomain.fi/<script language=JavaScript>alert(document.cookie);</script> The above URL would result in IE displaying cookies of www.anydomain.fi in the alert box, assuming that the site has been visited and it has set a cookie which hasn't expired.
Site admins: be sure to set the "secure" flag on cookies where possible! A colleague who has tested this (I don't have IE 5.5 or 6.0 handy) reports at least one nugget of good news: it seems that about: can only be used to leak non-secure cookies. At least for our site (which uses both secure and non-secure cookies), only those not flagged secure are visible. So sites that run under SSL and set the secure flag are OK. But those of us using cookies on plain old HTTP are in deep trouble. (And rumor has it that at least one prominent online investment e-trading site, despite using SSL, does *not* set the secure flags for their cookies, and therefore their customers using IE 5.5 or IE 6.0 are vulnerable to some degree of account information theft!) Unfortunately, a quick survey of some on-line storefronts by prominent tech companies (Red Hat, IBM, Microsoft) suggests that it's rather popular for commerce sites to only use non-secure cookies. This despite the discussion of the "cookie marking" bug in IIS 4 and IIS 5 that prompted patches.[0] Microsoft: this really, really stinks. -Peter [0] http://www.ciac.org/ciac/bulletins/l-010.shtml
Current thread:
- Microsoft IE cookies readable via about: URLS Jouko Pynnonen (Nov 08)
- Re: Microsoft IE cookies readable via about: URLS Nick FitzGerald (Nov 09)
- Re: Microsoft IE cookies readable via about: URLS Jeffrey W. Dronenburg (Nov 10)
- RE: Microsoft IE cookies readable via about: URLS Oliver Petruzel (Nov 12)
- Re: Microsoft IE cookies readable via about: URLS Thomas Reinke (Nov 12)
- Re: Microsoft IE cookies readable via about: URLS Valdis . Kletnieks (Nov 12)
- RE: Microsoft IE cookies readable via about: URLS Per Arne Johansson (Nov 12)
- <Possible follow-ups>
- Re: Microsoft IE cookies readable via about: URLS Clover Andrew (Nov 12)
- Re: Microsoft IE cookies readable via about: URLS Kristian Strickland (Nov 14)
- Re: Microsoft IE cookies readable via about: URLS Peter W (Nov 15)
- RE: Microsoft IE cookies readable via about: URLS Kristian Strickland (Nov 15)
- Re: Microsoft IE cookies readable via about: URLS Nick FitzGerald (Nov 09)