----------------------------------------------------------------------
SNS Advisory No.79
A Possibility of Cookie Overwrite in Microsoft Internet Explorer
Problem first discovered on: Mon, 01 Sept 2003
Published on: Mon, 15 Nov 2004
----------------------------------------------------------------------
Severity Level:
---------------
Low
Overview:
---------
Microsoft Internet Explorer contains a vulnerability that could cause a
Cookie to be overwritten under certain conditions.
Problem Description:
--------------------
Microsoft Internet Explorer fails to check certain character strings
when accepting cookies.
If Internet Explorer accepts a cookie with a crafted Path attribute,
it becomes possible to overwrite a cookie issued by another site under
specific conditions.
[Preconditions for the exploit]
1. If the target domain name contains the attacker's domain name,
or if the target IP address contains the attacker's IP address
2. If the target site is running a Web service on a wildcard domain
Exploitation therefore, could make it possible for attackers to hijack
Web sessions and login as legitimate users.
Tested Versions:
----------------
Microsoft Internet Explorer 6.0 Service Pack 1
Solution:
---------
If you use Windows XP, apply Service Pack 2.
Or as an alternative workaround, change the configuration as follows:
1. When accepting a cookie, please set to prompt a dialog in [Internet
Options].
1) Go to [Privacy] -> [Advanced]
2) In the "Cookies" section, check the "Override automatic cookie
handling" checkbox.
3) Under First-party Cookies, select [Prompt]
4) Click [OK]
2. Please choose [Block Cookie] to cancel cookies that do not start with "/".
Discovered by:
--------------
Keigo Yamazaki
Acknowledgements:
-----------------
Microsoft Co., Ltd
Disclaimer:
-----------
The information contained in this advisory may be revised without prior
notice and is provided as it is. Users shall take their own risk when
taking any actions following reading this advisory. LAC Co., Ltd.
shall take no responsibility for any problems, loss or damage caused
by, or by the use of information provided here.
This advisory can be found at the following URL:
http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/79_e.html
------------------------------------------------------------------
Secure Net Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/
--
Editor's Note: The 43rd Most Powerful Person in Networking says...
Register today to take the TruSecure ICSA exam by 12/31/04 at
<http://www.2test.com> , use promo code "CT1204" and you will pay just
$221.25 US Dollars for domestic exam delivery and $296.25 US Dollars
for international delivery.
Visit <https://ticsa.trusecure.com> for complete details regarding the
TICSA credential and to take the free sample exam.
--
