Vulnerability Development mailing list archives
Re: Netaddress and amexmail
From: Jonathan.Squire () DOWJONES COM (Squire, Jonathan)
Date: Mon, 1 May 2000 11:09:09 -0400
It's possible that the authentication takes place on a third shared server (such as authenticate.foo-net) that's one way to pass the cookie accross multiple domains. I belive you can also just set a cookie for .com I'm pretty sure some browsers honor this cookie and send it to all .com sites. I think there was also a bug where some browsers where you could set a cookie that started with ... and it got sent anywhere (but don't quote me on that I don't remmeber where I saw it and I'm too lazy to test it right now.) -Jon
-----Original Message----- From: Robert Collins [mailto:robert.collins () ITDOMAIN COM AU] Sent: Tuesday, March 28, 2000 1:59 AM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Netaddress and amexmail It's my understanding that cookies can only be read by the same server that created them.. so if www.axemail.com creates a cookie, the www.netaddress.com server cannot read it. just my 20c Rob -----Original Message----- From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of Fabio Pietrosanti Sent: Thursday, 27 April 2000 5:11 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Re: Netaddress and amexmail Does you know the existance of cookie ? :) NaiF On Tue, 25 Apr 2000, Arturo Busleiman wrote:Hi people. I've been using NetAdress and AmexMail (actually, the same company)for acouple of years now. I have one account in each one. Well, the point is that today I decided to play a little: I logged into my AmexMail account. After a successfull login you are redirected to http://www.amexmail.com/tpl/Door/SomeUniqueID/Welcome Ok, I opened a second browser and cut&pasted that into this newbrowserwindow, BUT changing amexmail by netaddress. Results? I had my account opened in two different browser windows, with thesmalldifference that the sessions were different. In one I hadthe amexmailuser interface, and in the other I had the netaddress userinterface.I had no friends online at that moment to send'em the URL to see iftheycould login without supplying the password. Ok, I now this is kind of stupid, but who knows? Bye *> Get PGP KEY: use pgpk -ahkp://horowitz.surfnet.nl/buanzox () usa net*> Lista social de mail. Envia e-mail en blanco alsb-subscribe () egroups com*> Panic? My kernel doesn't panic! We are doomed! DustDustDust!!!!
Current thread:
- Re: Netaddress and amexmail Squire, Jonathan (May 01)