[10988] in bugtraq
Navigator cookie security
daemon@ATHENA.MIT.EDU (Oliver Lineham)
Mon Jul 12 01:40:59 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: <4.2.0.56.19990710164731.017b21b0@paradise.net.nz>
Date: Sat, 10 Jul 1999 17:08:09 +1200
Reply-To: Oliver Lineham <oliver@LINEHAM.CO.NZ>
From: Oliver Lineham <oliver@LINEHAM.CO.NZ>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.9907022123460.27044-100000@localhost>
More on the topic of Navigator cookie security,
You may recall the discovery in December of a cookie bug affecting
virtually all browsers (including Netscape), relating to the cookie domain
restriction.
(http://homepages.paradise.net.nz/~glineham/cookiemonster.html)
Two points with regards to Netscape/Mozilla:
1) The bug report page on netscape.com claims that the bug is fixed from
v4.51 (http://help.netscape.com/kb/client/981231-1.html). This is a lie
(see for yourself)
2) Netscape/Mozilla decided against fixing this security hole, because it
would break Yahoo Mail - who uses sloppy cookie code. Rather than notifying
Yahoo, the fix was simply dropped.
Summary: All Netscape browsers, past, present, and future, have the bug.
You can read the (lengthy) discussion amongst Netscape engineers on this
issue, on http://bugzilla.mozilla.org/show_bug.cgi?id=8743 (contains both
Bugzilla and Bugsplat comments)
As an aside, versions of IE released since Microsoft was notified, do not
exhibit this bug.
>As Netscape has not acknowledged my email or bug report from last week,
When I contacted them, they never did respond. At all. The only way I
knew they got the message was when my friend stumbled over the bug report
page on netscape.com, a few weeks later.
Regards,
Oliver Lineham
___________________________________________________
v i b e m e d i a http://www.vibe.co.nz/
wellington, new zealand oliver@lineham.co.nz
phone +64 4 566-0627 facsimile +64 4 570-1900
