lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <010e01c48991$9d6ebd00$1432140a@mylaptop>
Date: Tue, 24 Aug 2004 09:49:48 +0530
From: "Rohit Dube" <rohit@...tikalsolutions.com>
To: "'George Capehart'" <gwc@....org>, <bugtraq@...urityfocus.com>
Subject: RE: Third party cookie handling in Opera can lead to potential compromises in Servers relying on redirection


How do mozilla and IE do this? In case they are allowing overwriting of
cookie from one domain by another domain, it can be much worse.

Thanks
Rohit Dube
KritiKal Solutions Private Limited
TB1, TBIU,
Block One Extension
IIT Delhi
New Delhi-16 

Prediction is very difficult, especially of the future.

-----Original Message-----
From: George Capehart [mailto:gwc@....org] 
Sent: Friday, August 20, 2004 3:58 AM
To: bugtraq@...urityfocus.com
Subject: Re: Third party cookie handling in Opera can lead to potential
compromises in Servers relying on redirection


On Tuesday 17 August 2004 04:34, Rohit Dube allegedly wrote:
> Hi,
>  Opera's policy with respect to third party cookie makes it
> vulnerable to session replay attacks. This was discovered 2 weeks
> back. Opera's response to the same is attached. The issue and the
> workaround are listed below.
>
> Opera claims to be the fastest browser on earth and has the third
> largest user base.
>
> Issue:
> In case Opera privacy policy is set to refuse all third party
> cookies, some servers (one is mail.yahoo.com) become susceptible to
> session replay attacks. Reproduction steps, for mail.yahoo.com are:

<snip rest of discussion>

Seems to me that it's not Opera that is "at fault."  Browsers don't have 
sessions for which they need to maintain state.  Application servers 
do, though.  Shame on Yahoo for not maintaining state.  This is a 
significant problem for Yahoo and all other sites that use cookies but 
do not maintain their own idea of state and which don't protect 
themselves against session replay attacks.  Rule #1 of (especially 
distributed) applications:  DO NOT TRUST INPUT FROM A DOMAIN UNDER 
WHICH YOU HAVE NO CONTROL!!!!!!  This is just plain bad practice.

My 0.02 $CURRENCY

Best regards,

George Capehart
-- 
George W. Capehart

Key fingerprint:  3145 104D 9579 26DA DBC7  CDD0 9AE1 8C9C DD70 34EA

"With sufficient thrust, pigs fly just fine."  -- RFC 1925






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ