[13718] in bugtraq
Re: Evil Cookies.
daemon@ATHENA.MIT.EDU (Joachim Feise)
Sat Feb 5 04:51:58 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <389A04E9.6093DDF9@ics.uci.edu>
Date: Thu, 3 Feb 2000 14:44:57 -0800
Reply-To: jfeise@ics.uci.edu
From: Joachim Feise <jfeise@ICS.UCI.EDU>
X-To: BUGTRAQ@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Iain Wade wrote:
>
> Hello,
>
> I have an evil cookie observation I'd like to share:
>
> While developing some CGI stuff, I noticed that my browser was sending a
> cookie which didn't make sense since I had control of that domain and I
> hadn't issues any cookies .. the name "CyberTargetAnonymous" didn't fill
> me with confidence either.
>
> After refreshing my knowledge of cookies at netscapes developer site
> below I noticed something strange:
> http://developer.netscape.com:80/docs/manuals/communicator/jsguide4/cookies.htm
>
> In the section "Determining a valid domain" is this little gem:
>
> <quote>
> If the domain attribute matches the end of the fully qualified domain
> name of the host, then path matching is performed to determine if
> the cookie should be sent. For example, a domain attribute of
> royalairways.com matches hostnames anvil.royalairways.com and
> ship.crate.royalairways.com.
>
> Only hosts within the specified domain can set a cookie for a domain. In
> addition, domain names must use at least two or three periods.
> Any domain in the COM, EDU, NET, ORG, GOV, MIL, and INT categories
> requires only two periods; all other domains require at least three
> periods.
> </quote>
>
> So my questions are these:
>
> a) Why would Netscape Communicator 4.7 accept a cookie like this
> (invalid -- only two periods):
>
> .com.au TRUE / FALSE 1264987602 CyberTargetAnonymous
> NMN000CDCF833FA08963E9BDBC6CAA59301
Because you are looking at the wrong spec.
RFC 2109 (http://www.ietf.org/rfc/rfc2109.txt) is the followup work to the
Netscape cookie spec.
According to that RFC, this cookie is valid.
-Joe
