Re: Microsoft IE cookies readable via about: URLS

From: Peter W (peterw@usa.net)
Date: 11/15/01 

Date: Thu, 15 Nov 2001 16:39:47 -0500
From: Peter W <peterw@usa.net>
To: bugtraq@securityfocus.com
Subject: Re: Microsoft IE cookies readable via about: URLS
Message-ID: <20011115163947.D17248@usa.net>

** resending; the distinction between http and https cookies is
   significant, and this about: bug underscores the importance
   of using at least one "secure" cookie for extra protection **

On Thu, Nov 08, 2001 at 03:32:54PM +0200, Jouko Pynnonen wrote:

> Finally, the about URL may have a hostname placed after the colon, and IE
> uses that hostname when determining the cookies to use:
>
> about://www.anydomain.fi/<script language=JavaScript>alert(document.cookie);</script>
>
> The above URL would result in IE displaying cookies of www.anydomain.fi
> in the alert box, assuming that the site has been visited and it has set
> a cookie which hasn't expired.

Site admins: be sure to set the "secure" flag on cookies where possible!

A colleague who has tested this (I don't have IE 5.5 or 6.0 handy) reports
at least one nugget of good news: it seems that about: can only be used to
leak non-secure cookies. At least for our site (which uses both secure and
non-secure cookies), only those not flagged secure are visible. So sites
that run under SSL and set the secure flag are OK. But those of us using
cookies on plain old HTTP are in deep trouble. (And rumor has it that at
least one prominent online investment e-trading site, despite using SSL,
does *not* set the secure flags for their cookies, and therefore their
customers using IE 5.5 or IE 6.0 are vulnerable to some degree of account
information theft!)

Unfortunately, a quick survey of some on-line storefronts by prominent tech
companies (Red Hat, IBM, Microsoft) suggests that it's rather popular for
commerce sites to only use non-secure cookies. This despite the discussion
of the "cookie marking" bug in IIS 4 and IIS 5 that prompted patches.[0]

Microsoft: this really, really stinks.

-Peter

[0] http://www.ciac.org/ciac/bulletins/l-010.shtml

Relevant Pages

  • Re: XMLRPC Ruby 1.8.6 stdlib Authentication/docs
    ... a client and a Mock of the Rails server. ... HTTP be used as the communications channel. ... Both HTTP Authentication and Cookies are optional ... The long answer is that the handler should not ...
    (comp.lang.ruby)
  • Re: How do I enter/receive webpage information?
    ... > - used httplib.HTTPConnection for the HTTP parts, ... > involved, and logging in and such things, and all of it used cookies) ... urllib2's headers if you need to get low level. ... One starting point for web scraping with Python: ...
    (comp.lang.python)
  • Re: Screen Scraping a Password Protected Site
    ... http traffic. ... cookies to a singleton CookieContainer and the once you have logged in ... If TypeOf request Is HttpWebRequest Then ... If TypeOf response Is HttpWebResponse Then ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Http code that precedes the html tags
    ... I know that I can put cookies in the meta tags of the header block, ... however when I try to put it before the <HTML> tag it does not work. ... I don't understand what format the http code takes. ... The http header exchange between browser/server is in the background which you have no access to directly. ...
    (alt.html)
  • Re: Reading Cookie in an Asynchronous Pluggable Protocol
    ... I am implementing an HTTP - HTTPS Pluggable protocol (I know microsoft ... I was trying to use WinInet to handle the cookies and it seems to work ... retrieve these without letting WinInet handle the HTTP request? ...
    (microsoft.public.inetsdk.programming.webbrowser_ctl)
Quantcast