[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
lynx-dev cookie bug (not in lynx)
From: |
brian j. pardy |
Subject: |
lynx-dev cookie bug (not in lynx) |
Date: |
Wed, 23 Dec 1998 17:09:38 -0800 |
From <URL:http://www.paradise.net.nz/~glineham/cookiemonster.html>:
HTTP Cookie Bug Affecting Servers On Non-US Domains
22 December 1998 NZDT
If you are any sort of expert in the areas of HTTP, cookies, browsers,
or general Internet security we urgently want to read any comments you
might have. Email address@hidden now.
Affected applications:
* Internet Explorer 5 Beta (Win32)
[...]
* others extremely likely
Unaffected applications:
* Lynx 2.8rel.2 (Linux):
asks the user to "allow setting of cookie with invalid domain
.co.nz"
[...]
The bug: A cookie may be set by a server on a domain name other than
the American TLDs (.com, .net, .org, etc.), which is erroneously
allowed to be returned to servers on other domains. For example,
company.co.nz may set a cookie in a user's browser that is returned to
all servers below .co.nz.
This affects: Anyone using any of the browsers listed above (possibly
more), who visit websites outside the US; Anyone operating a website
or server on a non-US domain name.
[...]
The contents of this page and the scripts it links to are Copyright ©
1998. Permission is granted to reproduce small quantities of the page
for purposes of fair review.
A sample exploit description is linked on that page.
My concern here -- the patch in 2.8.1 that will accept cookies with
invalid domains *IF* ACCEPT_ALL_COOKIES is enabled.
This is either a bug or a feature, depending on what ACCEPT_ALL_COOKIES is
defined to mean.
I suggest anyone interested in Lynx cookies take a look at this page.
--
America may be unique in being a country which has leapt
from barbarism to decadence without touching civilization.
-- John O'Hara
- lynx-dev cookie bug (not in lynx),
brian j. pardy <=