Re: Bad CNN. No cookie for you!

[dateline () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear CNN,

Even though you still have not responded directly to me, I want to
thank you for responding so quickly to the Full Disclosure exploit.
I see that you have removed the entire section titled "CNN.com
Extras". This removes the "My recently viewed pages" link that can
be used to validate the exploit.

Unfortunately, you still assign the js_memberservices.mrv and
js_user_topics cookies when visitors view news reports on your
site. The code that you use for updating these cookie values
(appending, deleting, etc.) is still vulnerable. Your programmers
are not properly quoting user-supplied parameters and not taint-
checking for special characters.

The problem is not that CNN.com has (still has) web pages that do
not check for hostile user-supplied data. The problem is that
CNN.com is accepting user-supplied data for web page and HTTP
header generation, without any checks for variable content. A well-
crafted cookie value can still p0wn cnn.com.
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkki6QYACgkQ/Ikpqp7FIXdRBwP9EcxXaLBHElP0kkaulI813MFMhlZh
Eh8vTje9N3WQe0c28jK8g5YvQEpDygvkGz9388MDamFwZ7qA19gkCKTBgr5vGptvVU7T
oe6CcnSr0ucvPFH7l0b7g+7txLEl0lJN+pDS8vELRw80Xc7fJOvtkXvsHsP6jYOjF+NQ
3qjXwSQ=
=JYwk
-----END PGP SIGNATURE-----

--
Do something nice for your skin. Click now for great skin care products!
http://tagline.hushmail.com/fc/PnY6qxssyy9vjbhOVqQN0PUEgFO1KeOuKsuwigy0wGzj94ZdTneTu/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/