[8833] in bugtraq
Re: Security Flaw in Cookies Implementation
daemon@ATHENA.MIT.EDU (der Mouse)
Sat Dec 26 14:23:27 1998
Date: Sat, 26 Dec 1998 11:47:06 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@NETSPACE.ORG
> I have discovered what I beleive to be a flaw in the implementation
> of cookies, that allows for possible security implications.
> http://www.paradise.net.nz/~glineham/cookiemonster.html
I particularly agree with the following text, taken from the URL I
quoted above:
It has been pointed out to me that the whole idea of counting
dots to determine valid domain settings for cookies is a
fundamental flaw in the specification.
Consider my domain, for example: rodents.montreal.qc.ca. Any
specification that allows any server not under rodents.montreal.qc.ca
to set cookies to be sent to any server that *is* under that domain is
broken. As I read it, the spec (if correctly implemented) would allow
any .montreal.qc.ca server to set cookies to be sent to my web server
(if I had one). That is, I can extend the statement that
Any country that operates subclassification of its domains is
susceptible. [...] Countries that do not subclassify their
domains are not susceptible.
by pointing out that places that have additional levels of
subclassification (like .montreal.qc.ca, or .k12.XX.us) will be
susceptible even if the spec is correctly implemented.
The spec is also broken in that it hardwires in, for all time (or at
least for the useful lifetime of extant browsers, which amounts to much
the same thing in practice), the list of `generic' top-level domains.
Creating a new generic TLD will break it.
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B