Bugtraq mailing list archives
Navigator cookie security
From: oliver () LINEHAM CO NZ (Oliver Lineham)
Date: Sat, 10 Jul 1999 17:08:09 +1200
More on the topic of Navigator cookie security, You may recall the discovery in December of a cookie bug affecting virtually all browsers (including Netscape), relating to the cookie domain restriction. (http://homepages.paradise.net.nz/~glineham/cookiemonster.html) Two points with regards to Netscape/Mozilla: 1) The bug report page on netscape.com claims that the bug is fixed from v4.51 (http://help.netscape.com/kb/client/981231-1.html). This is a lie (see for yourself) 2) Netscape/Mozilla decided against fixing this security hole, because it would break Yahoo Mail - who uses sloppy cookie code. Rather than notifying Yahoo, the fix was simply dropped. Summary: All Netscape browsers, past, present, and future, have the bug. You can read the (lengthy) discussion amongst Netscape engineers on this issue, on http://bugzilla.mozilla.org/show_bug.cgi?id=8743 (contains both Bugzilla and Bugsplat comments) As an aside, versions of IE released since Microsoft was notified, do not exhibit this bug.
As Netscape has not acknowledged my email or bug report from last week,
When I contacted them, they never did respond. At all. The only way I knew they got the message was when my friend stumbled over the bug report page on netscape.com, a few weeks later. Regards, Oliver Lineham ___________________________________________________ v i b e m e d i a http://www.vibe.co.nz/ wellington, new zealand oliver () lineham co nz phone +64 4 566-0627 facsimile +64 4 570-1900
Current thread:
- L0pht 'Domino' Vulnerability is alive and well Aleph One (Jul 05)
- <Possible follow-ups>
- Re: L0pht 'Domino' Vulnerability is alive and well Weld Pond (Jul 06)
- Re: L0pht 'Domino' Vulnerability is alive and well Pavel Ahafonau (Jul 07)
- Re: L0pht 'Domino' Vulnerability is alive and well mtremblay () BAHNSO COM (Jul 08)
- Re: L0pht 'Domino' Vulnerability is alive and well Ryan Thomas Tecco (Jul 09)
- Communicator 4.[56]x, JavaScript used to bypass cookie settings Peter W (Jul 09)
- (no subject) Anonymous (Jul 09)
- Re: your mail Darren Reed (Jul 12)
- Navigator cookie security Oliver Lineham (Jul 09)
- Re: Communicator 4.[56]x, JavaScript used to bypass cookie settings Claudio Telmon (Jul 13)
- Solaris 2.6/7 NTP permissions problem john_smith () RD QMS COM (Jul 14)
- Privacy concerns in interMute John Temples (Jul 16)
- Re: Solaris 2.6/7 NTP permissions problem Casper Dik (Jul 16)
- (no subject) sbr (Jul 14)
- joe 2.8 makes world-readable DEADJOE Trevor Johnson (Jul 17)
- Re: your mail hal (Jul 19)