Javascript can bypass user preference for cookie prompt in IE5.50.4134.0100

From: Derek Johnson (dqjat_private)
Date: Sun Nov 25 2001 - 22:54:48 PST

Next message: Benoīt Roussel: "[CERT-intexxia] Auto Nice Daemon Format String Vulnerability"

Previous message: secureat_private: "[CLA-2001:439] Conectiva Linux Security Announcement - postfix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) If a user sets the option "Prompt to allow cookies to be stored on your machine" I have found that this can be bypassed in ME by local Javascript code directly setting a cookie. A request to disable the storing of cookies is honored but not the option to prompt before storing them. Hence it is insecure to set this option with Javascript enabled. It is no known if this is fixed by any combination of patches issued by Microsoft.

Next message: Benoīt Roussel: "[CERT-intexxia] Auto Nice Daemon Format String Vulnerability"
Previous message: secureat_private: "[CLA-2001:439] Conectiva Linux Security Announcement - postfix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 26 2001 - 10:19:53 PST