[thelist] someone else's cookies?

Oliver Lineham oliver at lineham.co.nz
Mon Nov 13 04:26:06 CST 2000


At 17:45 16/10/2000 +0100, you wrote:

>We have started logging cookies in our Apache logs, and we are finding that
>for some visitors as well as cookies set by our site either now or in the
>past, we are also getting
>
>SITESERVER=ID=and what is presumably a session id string
>RMID=presumably a session id string

i'm going to try and distill a very long story into a few lines, so take a 
big breath:



judging from your email address, your webserver is a .co.uk, yes?

the cookies you are seeing are indeed set by a microsoft server as someone 
else suggested, but it's probably not yours. it's probably 
microsoft.co.uk.  (i can hear some people saying "that's not possible!" 
just keep reading ;)

when you set a cookie, you can set a "domain" for the cookie.  it's not 
supposed to be possible to set it to something like ".COM" or ".CO.UK".

but, it *is* possible because there is a security hole in most versions of 
IE (before IE5), all versions of Netscape, and most versions of most other 
browsers.

i discovered this security hole a couple of years ago, and reported it here:
http://homepages.paradise.net.nz/~glineham/cookiemonster.html
it is also on the "bugtraq" archives.

the security hole was confirmed by the microsoft security team / ie 
development team, and also by netscape.


summary: if you're on a ccTLD (like .nz or .uk), you can expect to be sent 
other people's cookies.


if anyone's confused or want more information, i'm happy to explain further.

</ol>

____________________________________________________
     v i b e   m e d i a    http://www.vibe.co.nz/
  po box 10-492              wellington, new zealand
  phone +64 21 210-7845         oliver at lineham.co.nz




More information about the thelist mailing list