[13730] in bugtraq
Re: Evil Cookies.
daemon@ATHENA.MIT.EDU (Jon Paul, Nollmann)
Mon Feb 7 17:01:10 2000
Message-Id: <m12H9mx-000yDXC@scintilla.balltech.net>
Date: Sat, 5 Feb 2000 10:18:31 -0800
Reply-To: sinster@BALLTECH.NET
From: "Jon Paul, Nollmann" <sinster@BALLTECH.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <389A04E9.6093DDF9@ics.uci.edu> (message from Joachim Feise on
Thu, 3 Feb 2000 14:44:57 -0800)
Sprach Joachim Feise <jfeise@ICS.UCI.EDU>:
> > a) Why would Netscape Communicator 4.7 accept a cookie like this
> > (invalid -- only two periods):
> >
> > .com.au TRUE / FALSE 1264987602 CyberTargetAnonymous
> > NMN000CDCF833FA08963E9BDBC6CAA59301
>
>
> Because you are looking at the wrong spec.
> RFC 2109 (http://www.ietf.org/rfc/rfc2109.txt) is the followup work to the
> Netscape cookie spec.
> According to that RFC, this cookie is valid.
Umm. I've been working on a web site that involves cookies for about
half a year now. Originally we coded our cookies to the rfc2109 spec,
and discovered that (apparently) there are no existing browsers which
support them. Specifically, the Max-Age field was the tripping stone
(rfc2109 disallows the use of the Expires field, and replaces it with
a Max-Age field, see section 4.2.2 -- yes, we use HTTP/1.1
throughout). We tried all versions of Internet Explorer on the PC and
Macintosh, all versions of Netscape from 4.08 through 4.7 (and a beta
5.0) on Win95 and Linux, one of the AOL browsers (I have no clue which
version), and Opera 3.60.0.286 on Win95. It doesn't help that every
browser we tested which claims (in the protocol) to use HTTP/1.1
violates the spec in one or more ways. We have yet to find a browser
that supports rfc2109 cookies.
If I had to guess at the original problem mentioned in this thread,
I'd say that .com.au actually does have 3 dots in it. The real domain
is .com.au. (notice the trailing dot). All FQDNs end in a trailing
dot. However, that clearly violates the intent behind the
restriction. On the other hand, bugs in the domain verification of
cookies are dirt common, so this could be allowed because it's a bug.
--
Jon Paul Nollmann ne' Darren Senn sinster@balltech.net
Unsolicited commercial email will be archived at $1/byte/day.
"Even a fool, when he holdeth his peace, is counted wise." Proverbs 17:28