[3603] in WWW Security List Archive
RE: Have a cookie
daemon@ATHENA.MIT.EDU (Paul Leach)
Thu Nov 21 21:30:00 1996
From: Paul Leach <paulle@microsoft.com>
To: "'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>,
"'Dave Proulx'" <dproulx@concept5.com>
Date: Thu, 21 Nov 1996 15:46:53 -0800
Errors-To: owner-www-security@ns2.rutgers.edu
I've been told this was supposed to have been fixed in IE 3.01 -- have
you seen it in that version?
Help/About for IE 3.01 says "Version 3.0 (4.70.1215)"
It can be downloaded for free from www.microsoft.com.
>----------
>From: Dave Proulx[SMTP:dproulx@concept5.com]
>Sent: Monday, November 18, 1996 10:36 AM
>To: www-security@ns2.rutgers.edu
>Cc: Dave Proulx
>Subject: Have a cookie
>
>Some recent testing on cookies has shown that the MS Internet Explorer
>is not very particular about where it takes a cookie from. I found
>two cases where the IE takes a cookie for a domain that is not
>the same as the server that sets it.
>
>Assume HTTP server in URL = www.domain.com
>
>If the domain in the Set-Cookie directive is a substring of the
>tail of the server's domain, then the IE accepts the cookie.
>
>Example:
> domain=omain.com
> domain=main.com
> domain=n.com
>
>If the domain in the Set-Cookie directive is the server's domain
>name, plus any single preceeding character, the IE will also accept
>it.
>
>Example:
> domain=adomain.com
> domain=?domain.com
>
>In both cases, the IE creates a cookie file on the hard disk for
>the given domain and will submit the cookie to an HTTP server in
>that domain (i.e. the cookie for main.com will be sent to www.main.com).
>The IE will not send the cookies for these new domains back to the
>original server (i.e. main.com cookie won't be set to www.domain.com).
>
>Obviously, being able to write cookies for someone else is not a good
>thing, but something else that I've thought of is that this allows
>a single server to fill up a browser's cookie cache. The spec says
>that the browser should have space for 300 cookies and a limit of 20
>from an individual server. Being able to write for multiple domains,
>it would be trivial to overflow the cache - How IE handles this
>condition, I'm not sure, but it could cause some problems. At the
>very least, a malicious server could fill the IE system's hard disk
>with a bunch of 4K files.
>
>
>Thanks.
>Dave Proulx dproulx@concept5.com
>Concept Five Technologies, Inc.
>
