[13693] in bugtraq
Evil Cookies.
daemon@ATHENA.MIT.EDU (Iain Wade)
Thu Feb 3 16:22:04 2000
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="------------ms902EEF5D6A968B19AB77A303"
Message-Id: <3897FCD2.CCF62324@optusnet.com.au>
Date: Wed, 2 Feb 2000 20:45:54 +1100
Reply-To: Iain Wade <iwade@OPTUSNET.COM.AU>
From: Iain Wade <iwade@OPTUSNET.COM.AU>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
This is a cryptographically signed message in MIME format.
--------------ms902EEF5D6A968B19AB77A303
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hello,
I have an evil cookie observation I'd like to share:
While developing some CGI stuff, I noticed that my browser was sending a
cookie which didn't make sense since I had control of that domain and I
hadn't issues any cookies .. the name "CyberTargetAnonymous" didn't fill
me with confidence either.
After refreshing my knowledge of cookies at netscapes developer site
below I noticed something strange:
http://developer.netscape.com:80/docs/manuals/communicator/jsguide4/cookies.htm
In the section "Determining a valid domain" is this little gem:
<quote>
If the domain attribute matches the end of the fully qualified domain
name of the host, then path matching is performed to determine if
the cookie should be sent. For example, a domain attribute of
royalairways.com matches hostnames anvil.royalairways.com and
ship.crate.royalairways.com.
Only hosts within the specified domain can set a cookie for a domain. In
addition, domain names must use at least two or three periods.
Any domain in the COM, EDU, NET, ORG, GOV, MIL, and INT categories
requires only two periods; all other domains require at least three
periods.
</quote>
So my questions are these:
a) Why would Netscape Communicator 4.7 accept a cookie like this
(invalid -- only two periods):
.com.au TRUE / FALSE 1264987602 CyberTargetAnonymous
NMN000CDCF833FA08963E9BDBC6CAA59301
b) How can this be used by some mass marketing company to turn me into a
number in their systems for sale to the highest bidder?
Just because you're paranoid doesn't mean they're not all out to get
you.
--
Iain Wade
--------------ms902EEF5D6A968B19AB77A303
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIIKIwYJKoZIhvcNAQcCoIIKFDCCChACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
CBswggTlMIIETqADAgECAhAihK6/SPMlmvfPt0qAgkXfMA0GCSqGSIb3DQEBBAUAMIHMMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y
azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5
IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp
dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTAwMDExODAwMDAw
MFoXDTAxMDExNjIzNTk1OVowggESMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UE
CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y
ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMV
UGVyc29uYSBOb3QgVmFsaWRhdGVkMTQwMgYDVQQLEytEaWdpdGFsIElEIENsYXNzIDEgLSBN
aWNyb3NvZnQgRnVsbCBTZXJ2aWNlMRIwEAYDVQQDFAlJYWluIFdhZGUxJDAiBgkqhkiG9w0B
CQEWFWl3YWRlQG9wdHVzbmV0LmNvbS5hdTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQCdB4te
5gDZ7LJ4Ze6qarbtECEoFLIaADpwiKe3e69WnEO4GKLadH70kpn3cZZXGDsxaz7aIxggbi9t
ghNtDwuBAgMBAAGjggHBMIIBvTAJBgNVHRMEAjAAMIGsBgNVHSAEgaQwgaEwgZ4GC2CGSAGG
+EUBBwEBMIGOMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vQ1BTMGIG
CCsGAQUFBwICMFYwFRYOVmVyaVNpZ24sIEluYy4wAwIBARo9VmVyaVNpZ24ncyBDUFMgaW5j
b3JwLiBieSByZWZlcmVuY2UgbGlhYi4gbHRkLiAoYyk5NyBWZXJpU2lnbjARBglghkgBhvhC
AQEEBAMCB4AwgYYGCmCGSAGG+EUBBgMEeBZ2ZDQ2NTJiZDYzZjIwNDcwMjkyOTg3NjNjOWQy
ZjI3NTA2OWM3MzU5YmVkMWIwNTlkYTc1YmM0YmM5NzAxNzQ3ZGE1YzdmNDE0MWJlYWRiMmJk
MmU4OTIwNmFmNmFmOGRlMTE0OTk2YTNiMzRhZmNmM2VhNDUwYzAwBgpghkgBhvhFAQYHBCIW
IDIyNTg5ODEyZjM4NDM3NjFhMzk1YjRhNjMyMTJkOGY5MDMGA1UdHwQsMCowKKAmoCSGImh0
dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmwwDQYJKoZIhvcNAQEEBQADgYEACmI5
JzhJmJTkCwO03ok+yBtQi1AKUVEXDxtutj7fBJ3G1GVyqF/Y/5wRRHLWi8qH2ezcjnIrb4sT
BhlaPJj08zuJYjedRHxrMU8enEsQ+vuagQfy3A2ib1Nd+64LIWF6qXz+Cg4a5iAUfSBHAgbC
35t91rQUaa/dnwnERhD4eA0wggMuMIICl6ADAgECAhEA0nYujRQMPX2yqCVdr+4NdTANBgkq
hkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1
BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNOTgwNTEyMDAwMDAwWhcNMDgwNTEyMjM1OTU5WjCBzDEXMBUGA1UEChMOVmVyaVNpZ24s
IEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52
ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIuTFREKGMp
OTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3JpYmVy
LVBlcnNvbmEgTm90IFZhbGlkYXRlZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAu1pE
igQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV2TFBcHqBS7lIE1YtxwjhhEKrwKKS
q0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/Gdr5FegPh7Yc48zGmo5/aiSS4/zg
ZbqnsX7vyds3ashKyAkG5JkCAwEAAaN8MHowEQYJYIZIAYb4QgEBBAQDAgEGMEcGA1UdIARA
MD4wPAYLYIZIAYb4RQEHAQEwLTArBggrBgEFBQcCARYfd3d3LnZlcmlzaWduLmNvbS9yZXBv
c2l0b3J5L1JQQTAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQIF
AAOBgQCIuDc73dqUNwCtqp/hgQFxHpJqbS/28Z3TymQ43BuYDAeGW4UVag+5SYWklfEXfWe0
fy0s3ZpCnsM+tI6q5QsG3vJWKvozx74Z11NMw73I4xe1pElCY+zCphcPXVgaSTyQXFWjZSAA
/Rgg5V+CprGoksVYasGNAzzrw80FopCubjGCAdAwggHMAgEBMIHhMIHMMRcwFQYDVQQKEw5W
ZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UE
CxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElB
Qi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1
YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhAihK6/SPMlmvfPt0qAgkXfMAkGBSsO
AwIaBQCggYYwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDAw
MjAyMDk0NTU0WjAjBgkqhkiG9w0BCQQxFgQUfNJG4EKTToTgQY9Pldw+I3kcWFkwJwYJKoZI
hvcNAQkPMRowGDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAARANdpG
MN0UaBDE5uiqwnr6NOvJ5hd7ND83JDRxp8p6KQtU1zeo41NjCEE/aBeMRQ7UM8kGWrNGyHlt
HeSyBbPXAA==
--------------ms902EEF5D6A968B19AB77A303--
