[13770] in bugtraq
Re: Evil Cookies.
daemon@ATHENA.MIT.EDU (Tim Adam)
Wed Feb 9 03:54:37 2000
Content-Type: text/plain
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-Id: <00020910555001.20675@brock>
Date: Wed, 9 Feb 2000 10:11:40 +1100
Reply-To: Tim Adam <tma@OSA.COM.AU>
From: Tim Adam <tma@OSA.COM.AU>
X-To: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Dylan Griffiths wrote:
> Thomas Reinke wrote:
> > There is no easy patch to this problem. The only solution I
> > can think of, which is not an easy one, would be to have browsers
> > have intimate knowledge of what constitutes an organization's
> > "domain of influence", and limit cookies accordingly. This
> > is essentially impossible to implement.
>
> > (Consider domain.city.state.country - where is the allowable
> > domain of influence here? Probably 4 levels deep, but how
> > to indicate this to the browser).
>
> Perhaps this would be an exercise best left up to the user, as there is
> currently no way to indicate the scope of the authority (harmless TLD,
> country, normal domain, etc) in the DNS system.
A similar problem existed in WPAD (Web Proxy Auto-Discovery)
for IE 5.0: see MS Security Bulletin MS99-054 at
http://www.microsoft.com/technet/security/bulletin/ms99-054.asp
The browser was walking up the DNS hierarchy looking for the name wpad,
in some cases making queries outside the organization's trust boundary.
Tim.
--
Tim Adam Tim.Adam@osa.com.au http://www.osa.com
Software Development Engineer Phone: +61 3 9895 2199
Open Software Associates Ltd. Box Hill VIC Australia
Proven Solution Deployment for the Global Enterprise
