Re: Cookies

["Richard M. Smith" <rms () PRIVACYFOUNDATION ORG>]

Hi George,

Yep, I thought about it some.  Never did an experiments however.
I assume that it is illegal to break into someone else's Web server
in this way.  The nickname I gave to the problem is "poison cookie".
It seems like it might happen pretty often.  I doubt
a lot of programmers validate their cookie values since they
assume the values are okay because they wrote them in the first place.
The buffer overflows could occur in a number of different
places:

    - The Web server software
    - A database engine that is passed a cookie value
    - A CGI script written in C or C++ that process cookies
    - The interface code that processes a cookie for a
      scripting engine for a language like Perl, PHP,
      VBScript or JavaScript.

Besides buffer overflows, in might also be possible to
break into a database if a cookie value is blindly pasted
into an SQL statement.

Richard

> -----Original Message-----
> From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
> George
> Sent: Sunday, August 06, 2000 10:21 AM
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Cookies
>
>
> A few friends of mine were discussing the possibility of a custom crafted
> cookie replacing a valid cookie on a client machine being used to exploit
> the web server that placed the first cookie on the client.
>
> Has anyone looked at the possibility of editing a cookie to search
> for/exploit buffer overflows in the server side code that reads
> cookies? If
> there is any information on this sort of technique I would appreciate a
> pointer.
>
> Geo.