[thelist] someone else's cookies?
Oliver Lineham
oliver at lineham.co.nz
Mon Nov 13 04:45:55 CST 2000
At 10:37 13/11/2000 +0000, you wrote:
>woah!
>
>:-0
i found the bug much the same way you did: wondered what the heck these
SITESERVERID cookies were that were being sent to my scripts.
the ironic bit was when my colleague eventually managed to track down who
was setting the supposedly-impossible cookies: none other than microsoft.co.nz!
the manufacturer was abusing a security bug in their own product ;)
>I'd given up on getting an answer to this one...Oliver, many thanks for your
>information!
no problem.
one of the issues with this bug is the possibility someone might
maliciously set .co.uk cookies in peoples browsers specifically to try and
break your scripts (by using the same variable names as yours). if someone
does that, both cookies will be returned to your server by the browser and
it will be up to your script to be smart enough to notice and act accordingly.
one scenario we described on the website was company A trying to stop
company B's cookie-based shopping cart from working.
</ol>
____________________________________________________
v i b e m e d i a http://www.vibe.co.nz/
po box 10-492 wellington, new zealand
phone +64 21 210-7845 oliver at lineham.co.nz
More information about the thelist
mailing list