Re: Cookies

["netsec [davidv]" <netsec () GFI COM>]

Recently at a local ISP while invetigating how he uses cookies i was really 
shocked when is aw that by just changing the a variable integer stored in a
cookie you will immediatly be someone else for the webserver.  Now if the
ISP
has a web management for the particular user then there will be big
problems.

However (pls. correct me if im wrong) the cookie format fields is not an
actual
standard by the webserver as regards to the data stored, most probably it is
the
programmer who programmes the format of the cookie in his own way.  So we
cannot
have a common template of a cookie which you can say this is exploitable,
this is
not!

It all boils down to the way a specific programmer decides to program.

Please correct me if im wrong.

David Vella

> -----Original Message-----
> From: Denis Ducamp [mailto:Denis.Ducamp () HSC FR]
> Sent: Sunday, August 06, 2000 11:30 PM
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: Re: Cookies
>
>
> On Sun, Aug 06, 2000 at 10:20:58AM -0400, George wrote:
> > A few friends of mine were discussing the possibility of a 
> custom crafted
> > cookie replacing a valid cookie on a client machine being 
> used to exploit
> > the web server that placed the first cookie on the client.
> >
> > Has anyone looked at the possibility of editing a cookie to search
> > for/exploit buffer overflows in the server side code that 
> reads cookies? If
>
> In the web server itself : no
>
> In an http application : no with a buffer overflow but yes to access
> application privileges.
>  The more often, the cookie is used to remember the login 
> with which you
>   authenticated. Change that cookie and you are someone else :-( !
>  Other times, that cookie is used to remember which part of 
> the web site
>   you may access : change that cookie and you may access 
> anywhere :-( !
>
> Often the cookie is obfuscated with a pseudo cryptographic 
> algorythm à la
> xor using a short fixed length key.
>
> > there is any information on this sort of technique I would 
> appreciate a
> > pointer.
>
> Don't know such a public document.
>
> Denis Ducamp.
>
> --
> Denis.Ducamp () hsc fr -- Hervé Schauer Consultants -- http://www.hsc.fr/



GFI - Security & communications products for Windows NT/2000
http://www.gfi.com

**********************************************************
This mail was content checked for malicious code or viruses
by Mail essentials. Mail essentials for Exchange/SMTP is an
email security, content checking & anti-virus gateway that
removes all types of email-borne threats before they can affect
your email users. Spam, viruses, dangerous attachments & offensive
content can be removed before they reach your mail server.
In addition it has server-based email encryption, disclaimers
and other email features.
***********************************************************

In addition to Mail essentials, GFI also produces the FAXmaker
fax server product range & LANguard internet access control &
intrusion detection. For more information on our products please
visit http://www.gfi.com