Security Flaw in Cookies Implementation

From: Oliver Lineham (oliverat_private)
Date: Wed Dec 23 1998 - 14:09:19 PST

Next message: David Schwartz: "Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service"

Previous message: Anonymous: "Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Updated)"
Next in thread: der Mouse: "Re: Security Flaw in Cookies Implementation"
Reply: der Mouse: "Re: Security Flaw in Cookies Implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have discovered what I beleive to be a flaw in the implementation of
cookies, that allows for possible security implications.

Products affected appear to include EVERY VERSION of Navigator that support
cookies, and EVERY VERSION of Internet Explorer that support cookies.

For a detailed explanation and analysis, please visit
http://www.paradise.net.nz/~glineham/cookiemonster.html immediately.
This site also contains a working demonstration.

The problem relates to the restrictions applied to domains outside the
united states, and how many dots they must contain.

The site contains a full analysis of the problem, and has a working
demonstration.

Regards,

Oliver Lineham

---------------------------------------------------
Internet Services / Webdesign / Strategic Planning
PO Box 30-481, Lower Hutt, NZ  oliverat_private
Phone +64 4 566-0627       Facsimile +64 4 570-1900

Next message: David Schwartz: "Re: CERT Advisory CA-98.13 - TCP/IP Denial of Service"
Previous message: Anonymous: "Merry Christmas to Sun! (Was: L0pht NFR N-Code Modules Updated)"
Next in thread: der Mouse: "Re: Security Flaw in Cookies Implementation"
Reply: der Mouse: "Re: Security Flaw in Cookies Implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:26:05 PDT