[thelist] someone else's cookies?
Oliver Lineham
oliver at lineham.co.nz
Mon Nov 13 04:26:06 CST 2000
At 17:45 16/10/2000 +0100, you wrote:
>We have started logging cookies in our Apache logs, and we are finding that
>for some visitors as well as cookies set by our site either now or in the
>past, we are also getting
>
>SITESERVER=ID=and what is presumably a session id string
>RMID=presumably a session id string
i'm going to try and distill a very long story into a few lines, so take a
big breath:
judging from your email address, your webserver is a .co.uk, yes?
the cookies you are seeing are indeed set by a microsoft server as someone
else suggested, but it's probably not yours. it's probably
microsoft.co.uk. (i can hear some people saying "that's not possible!"
just keep reading ;)
when you set a cookie, you can set a "domain" for the cookie. it's not
supposed to be possible to set it to something like ".COM" or ".CO.UK".
but, it *is* possible because there is a security hole in most versions of
IE (before IE5), all versions of Netscape, and most versions of most other
browsers.
i discovered this security hole a couple of years ago, and reported it here:
http://homepages.paradise.net.nz/~glineham/cookiemonster.html
it is also on the "bugtraq" archives.
the security hole was confirmed by the microsoft security team / ie
development team, and also by netscape.
summary: if you're on a ccTLD (like .nz or .uk), you can expect to be sent
other people's cookies.
if anyone's confused or want more information, i'm happy to explain further.
</ol>
____________________________________________________
v i b e m e d i a http://www.vibe.co.nz/
po box 10-492 wellington, new zealand
phone +64 21 210-7845 oliver at lineham.co.nz
More information about the thelist
mailing list