[23251] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Javascript can bypass user preference for cookie prompt in

daemon@ATHENA.MIT.EDU (Derek Johnson)
Mon Nov 26 13:25:12 2001

Date: 26 Nov 2001 06:54:48 -0000
Message-ID: <20011126065448.10146.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Derek Johnson <dqj@btinternet.com>
To: bugtraq@securityfocus.com

If a user sets the option

"Prompt to allow cookies to be stored on your 
machine"

I have found that this can be bypassed in ME by local 
Javascript code directly setting a cookie. 

A request to disable the storing of cookies is honored 
but not the option to prompt before storing them.

Hence it is insecure to set this option with Javascript 
enabled. It is no known if this is fixed by any 
combination of patches issued by Microsoft.


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[23251] in bugtraq

Javascript can bypass user preference for cookie prompt in

daemon@ATHENA.MIT.EDU (Derek Johnson)Mon Nov 26 13:25:12 2001

daemon@ATHENA.MIT.EDU (Derek Johnson)
Mon Nov 26 13:25:12 2001