Bugtraq mailing list archives
Security Flaw in Cookies Implementation
From: oliver () LINEHAM CO NZ (Oliver Lineham)
Date: Thu, 24 Dec 1998 11:09:19 +1300
I have discovered what I beleive to be a flaw in the implementation of cookies, that allows for possible security implications. Products affected appear to include EVERY VERSION of Navigator that support cookies, and EVERY VERSION of Internet Explorer that support cookies. For a detailed explanation and analysis, please visit http://www.paradise.net.nz/~glineham/cookiemonster.html immediately. This site also contains a working demonstration. The problem relates to the restrictions applied to domains outside the united states, and how many dots they must contain. The site contains a full analysis of the problem, and has a working demonstration. Regards, Oliver Lineham --------------------------------------------------- Internet Services / Webdesign / Strategic Planning PO Box 30-481, Lower Hutt, NZ oliver () lineham co nz Phone +64 4 566-0627 Facsimile +64 4 570-1900
Current thread:
- Re: New perl module Net::RawIP, (continued)
- Re: New perl module Net::RawIP route () RESENTMENT INFONEXUS COM (Dec 22)
- [SecureXpert Labs Advisory SX-98.12.23-01] Widespread DoS Richard Reiner (Dec 23)
- Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Updated) Anonymous (Dec 23)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Casper Dik (Dec 24)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Dima Volodin (Dec 25)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Lamont Granquist (Dec 28)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Igor Schein (Dec 28)
- Re: Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Casper Dik (Dec 28)
- A few more fingerprinting techniques - time and netmask David G. Andersen (Dec 28)
- Microsoft Security Bulletin (MS98-020) aleph1 () UNDERGROUND ORG (Dec 23)
- Security Flaw in Cookies Implementation Oliver Lineham (Dec 23)
- Re: Why you should avoid world-writable directories Gonzo Granzeau (Dec 22)
- Re: Why you should avoid world-writable directories Kragen Sitaker (Dec 22)