Forums Problems

GrowlZ1010 · #1 04-27-2004, 09:07 PM

Quote:

Originally Posted by busyrobot

Secondary question:
This 'steal your cookie by an evil link' thing - does that use special browser HTML/JS/ETC or is it all serverside?

A known Internet Explorer bug (read: glaring security hole - still around in 5.5 with all the latest Windows Update patches, not sure about 6) allows you to steal cookies using simple JavaScript - all you'd need is for someone to visit a page laced with the deadly cookie-bewildering toxin and their cookies for ANY domain anywhere can be acquired. The exploit doesn't even need to be visible to the user - the script could be run in the background in a tiny IFRAME and the user would have no idea their cookies had been compromised. A serverside script is often used to record this acquired data, but I'm not aware of any major cross-browser exploits which operate on the serverside alone.

Whether or not this was the method used in this particular situation, I am uncertain. Of course, corrections or clarifications would be welcomed.

(first post in months! hooray!)

Tyhm · #2 04-28-2004, 04:33 AM

That's an excellent explanation of the problem. Thanks Growlz.

Loriel · #3 04-28-2004, 06:28 PM

Quote:

Originally Posted by GrowlZ1010

known Internet Explorer bug

So Firefox/Linux wins! Weeeh!

Kristi · #4 04-28-2004, 08:08 PM

Quote:

Originally Posted by Loriel

So Firefox/Linux wins! Weeeh!

Hense the reason it wasnt that bug, but an XSS one as i explained eariler, its not browser specific =p

GrowlZ1010 · #5 04-28-2004, 08:51 PM

Quote:

Originally Posted by Kristi

Hense the reason it wasnt that bug, but an XSS one as i explained eariler, its not browser specific =p

How very interesting. I suppose that the PHP $_REQUEST array (made up of all values sent by the user - ones sent in the URL, stuff POSTed by a form, and cookie data) was being used in these scripts instead of a specific global dealing with wherever the input should be coming from, allowing for falsified cookie or POSTed values to be passed along in the URL. Or, say, cookie-stealin' JavaScript. But that's just a semi-educated guess.

As I stated previously, corrections and clarifications are always good. Instead of knowing only about the cookie vulnerability which was actually used, we now know about two! And knowing more is usually better than knowing less.

(However, I'll agree with Loriel's point just because it's dangably valid. Hooray for Firefox!)