Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Netaddress and amexmail

From: Jonathan.Squire () DOWJONES COM (Squire, Jonathan)
Date: Mon, 1 May 2000 11:09:09 -0400

It's possible that the authentication takes place on a third shared server
(such as authenticate.foo-net) that's one way to pass the cookie accross
multiple domains. I belive you can also just set a cookie for .com I'm
pretty sure some browsers honor this cookie and send it to all .com sites.

I think there was also a bug where some browsers where you could set a
cookie that started with ... and it got sent anywhere (but don't quote me on
that I don't remmeber where I saw it and I'm too lazy to test it right now.)

-Jon


-----Original Message-----
From: Robert Collins [mailto:robert.collins () ITDOMAIN COM AU]
Sent: Tuesday, March 28, 2000 1:59 AM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Netaddress and amexmail


It's my understanding that cookies can only be read by the same server
that created them.. so if www.axemail.com creates a cookie, the
www.netaddress.com server cannot read it.

just my 20c
Rob

-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV () SECURITYFOCUS COM]On Behalf Of
Fabio Pietrosanti
Sent: Thursday, 27 April 2000 5:11 PM
To: VULN-DEV () SECURITYFOCUS COM
Subject: Re: Netaddress and amexmail


Does you know the existance of cookie ? :)

NaiF

On Tue, 25 Apr 2000, Arturo Busleiman wrote:


Hi people.

I've been using NetAdress and AmexMail (actually, the same company)

for a

couple of years now. I have one account in each one.

Well, the point is that today I decided to play a little:

I logged into my AmexMail account. After a successfull login you are
redirected to http://www.amexmail.com/tpl/Door/SomeUniqueID/Welcome

Ok, I opened a second browser and cut&pasted that into this new

browser

window, BUT changing amexmail by netaddress. Results?
I had my account opened in two different browser windows, with the

small

difference that the sessions were different. In one I had

the amexmail

user interface, and in the other I had the netaddress user

interface.

I had no friends online at that moment to send'em the URL to see if

they

could login without supplying the password.

Ok, I now this is kind of stupid, but who knows?

Bye

*> Get PGP KEY: use pgpk -a

hkp://horowitz.surfnet.nl/buanzox () usa net

*> Lista social de mail. Envia e-mail en blanco a

lsb-subscribe () egroups com

*> Panic? My kernel doesn't panic! We are doomed! DustDustDust!!!!
Previous By Date Next
Previous By Thread Next

Current thread: