[8833] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Security Flaw in Cookies Implementation

daemon@ATHENA.MIT.EDU (der Mouse)
Sat Dec 26 14:23:27 1998

Date: 	Sat, 26 Dec 1998 11:47:06 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@NETSPACE.ORG

> I have discovered what I beleive to be a flaw in the implementation
> of cookies, that allows for possible security implications.
> http://www.paradise.net.nz/~glineham/cookiemonster.html

I particularly agree with the following text, taken from the URL I
quoted above:

        It has been pointed out to me that the whole idea of counting
        dots to determine valid domain settings for cookies is a
        fundamental flaw in the specification.

Consider my domain, for example: rodents.montreal.qc.ca.  Any
specification that allows any server not under rodents.montreal.qc.ca
to set cookies to be sent to any server that *is* under that domain is
broken.  As I read it, the spec (if correctly implemented) would allow
any .montreal.qc.ca server to set cookies to be sent to my web server
(if I had one).  That is, I can extend the statement that

        Any country that operates subclassification of its domains is
        susceptible.  [...]  Countries that do not subclassify their
        domains are not susceptible.

by pointing out that places that have additional levels of
subclassification (like .montreal.qc.ca, or .k12.XX.us) will be
susceptible even if the spec is correctly implemented.

The spec is also broken in that it hardwires in, for all time (or at
least for the useful lifetime of extant browsers, which amounts to much
the same thing in practice), the list of `generic' top-level domains.
Creating a new generic TLD will break it.

                                        der Mouse

                               mouse@rodents.montreal.qc.ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

home help back first fref pref prev next nref lref last post