[3576] in WWW Security List Archive
Have a cookie
daemon@ATHENA.MIT.EDU (Dave Proulx)
Mon Nov 18 15:51:07 1996
Date: Mon, 18 Nov 1996 13:36:47 -0500
From: Dave Proulx <dproulx@concept5.com>
To: www-security@ns2.rutgers.edu
CC: Dave Proulx <dproulx@concept5.com>
Errors-To: owner-www-security@ns2.rutgers.edu
Some recent testing on cookies has shown that the MS Internet Explorer
is not very particular about where it takes a cookie from. I found
two cases where the IE takes a cookie for a domain that is not
the same as the server that sets it.
Assume HTTP server in URL = www.domain.com
If the domain in the Set-Cookie directive is a substring of the
tail of the server's domain, then the IE accepts the cookie.
Example:
domain=omain.com
domain=main.com
domain=n.com
If the domain in the Set-Cookie directive is the server's domain
name, plus any single preceeding character, the IE will also accept
it.
Example:
domain=adomain.com
domain=?domain.com
In both cases, the IE creates a cookie file on the hard disk for
the given domain and will submit the cookie to an HTTP server in
that domain (i.e. the cookie for main.com will be sent to www.main.com).
The IE will not send the cookies for these new domains back to the
original server (i.e. main.com cookie won't be set to www.domain.com).
Obviously, being able to write cookies for someone else is not a good
thing, but something else that I've thought of is that this allows
a single server to fill up a browser's cookie cache. The spec says
that the browser should have space for 300 cookies and a limit of 20
from an individual server. Being able to write for multiple domains,
it would be trivial to overflow the cache - How IE handles this
condition, I'm not sure, but it could cause some problems. At the
very least, a malicious server could fill the IE system's hard disk
with a bunch of 4K files.
Thanks.
Dave Proulx dproulx@concept5.com
Concept Five Technologies, Inc.
