Bugtraq mailing list archives
Re: Evil Cookies.
From: tma () OSA COM AU (Tim Adam)
Date: Wed, 9 Feb 2000 10:11:40 +1100
Dylan Griffiths wrote:
Thomas Reinke wrote:There is no easy patch to this problem. The only solution I can think of, which is not an easy one, would be to have browsers have intimate knowledge of what constitutes an organization's "domain of influence", and limit cookies accordingly. This is essentially impossible to implement.(Consider domain.city.state.country - where is the allowable domain of influence here? Probably 4 levels deep, but how to indicate this to the browser).Perhaps this would be an exercise best left up to the user, as there is currently no way to indicate the scope of the authority (harmless TLD, country, normal domain, etc) in the DNS system.
A similar problem existed in WPAD (Web Proxy Auto-Discovery) for IE 5.0: see MS Security Bulletin MS99-054 at http://www.microsoft.com/technet/security/bulletin/ms99-054.asp The browser was walking up the DNS hierarchy looking for the name wpad, in some cases making queries outside the organization's trust boundary. Tim. -- Tim Adam Tim.Adam () osa com au http://www.osa.com Software Development Engineer Phone: +61 3 9895 2199 Open Software Associates Ltd. Box Hill VIC Australia Proven Solution Deployment for the Global Enterprise
Current thread:
- Re: Evil Cookies. Tim Adam (Feb 08)