Bugtraq mailing list archives
Re: Security Flaw in Cookies Implementation
From: mouse () RODENTS MONTREAL QC CA (der Mouse)
Date: Sat, 26 Dec 1998 11:47:06 -0500
I have discovered what I beleive to be a flaw in the implementation of cookies, that allows for possible security implications. http://www.paradise.net.nz/~glineham/cookiemonster.html
I particularly agree with the following text, taken from the URL I quoted above: It has been pointed out to me that the whole idea of counting dots to determine valid domain settings for cookies is a fundamental flaw in the specification. Consider my domain, for example: rodents.montreal.qc.ca. Any specification that allows any server not under rodents.montreal.qc.ca to set cookies to be sent to any server that *is* under that domain is broken. As I read it, the spec (if correctly implemented) would allow any .montreal.qc.ca server to set cookies to be sent to my web server (if I had one). That is, I can extend the statement that Any country that operates subclassification of its domains is susceptible. [...] Countries that do not subclassify their domains are not susceptible. by pointing out that places that have additional levels of subclassification (like .montreal.qc.ca, or .k12.XX.us) will be susceptible even if the spec is correctly implemented. The spec is also broken in that it hardwires in, for all time (or at least for the useful lifetime of extant browsers, which amounts to much the same thing in practice), the list of `generic' top-level domains. Creating a new generic TLD will break it. der Mouse mouse () rodents montreal qc ca 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Re: Security Flaw in Cookies Implementation der Mouse (Dec 26)