[thelist] someone else's cookies?

Oliver Lineham oliver at lineham.co.nz
Mon Nov 13 04:45:55 CST 2000


At 10:37 13/11/2000 +0000, you wrote:

>woah!
>
>:-0

i found the bug much the same way you did:  wondered what the heck these 
SITESERVERID cookies were that were being sent to my scripts.

the ironic bit was when my colleague eventually managed to track down who 
was setting the supposedly-impossible cookies: none other than microsoft.co.nz!

the manufacturer was abusing a security bug in their own product ;)

>I'd given up on getting an answer to this one...Oliver, many thanks for your
>information!

no problem.


one of the issues with this bug is the possibility someone might 
maliciously set .co.uk cookies in peoples browsers specifically to try and 
break your scripts (by using the same variable names as yours).  if someone 
does that, both cookies will be returned to your server by the browser and 
it will be up to your script to be smart enough to notice and act accordingly.

one scenario we described on the website was company A trying to stop 
company B's cookie-based shopping cart from working.

</ol>

____________________________________________________
     v i b e   m e d i a    http://www.vibe.co.nz/
  po box 10-492              wellington, new zealand
  phone +64 21 210-7845         oliver at lineham.co.nz




More information about the thelist mailing list