Re: IE cookie menagment and CSRF

[Saqib.N.Ali () seagate com]

Hello,

I think I.E. by default DOES NOT allow modifying 3rd party cookie (i.e 
cookies from other sites). But you can check this setting on your browser 
by going in to 

I.E. -> Tools -> Internet Options -> Privacy (TAB) -> Advance (Button) 

While POST is a good way of protecting form, but it does not guarantee 
that your form is secure.

Thanks.
Saqib Ali
http://validate.sf.net

lazy <lazy () gwsh gda pl> wrote on 08/20/2004 07:04:25 AM:

> Hi All,
>
> Recently while toying with CSRF XSS I found out that when I place sth. 
like
> <img src=”domainB/logout.php”> on domainA 
> IE(6.0.2800.1106.xpsp2.030422-1633) sends cookies from siteB. and 
> Mozilla 1.7.2 don't.
> Thins means that some web page on domainA can force any GET request as 
> previously authorized user on domainB.
>
> (imaginary scenario)
> 1)user logs on e-bay
> 2)wants to buy a book from attacker
> 3)attacker makes a webpage „See what I sell on ebay” with <img 
> src=”http://ebay.com/bid.cgi?item=34345&price=99999”> and links it to 
> the auction
> 4)when user views his page he not wilingly bids 999999$ on an item
>
> I think that Mozilla does right not sending cookies because domains of 
> the cookies should apply to originating html document if it's an image 
> not a link. Am i right ?
>
> What do You thing about it ? Is it a bug or it's ok and we should use 
> only POST methods for important forms?
>
> --
> Lazy