On 06.02.2013 23:55, Donald Stufft wrote: > On Wednesday, February 6, 2013 at 5:53 PM, M.-A. Lemburg wrote: >> On 06.02.2013 23:28, Donald Stufft wrote: >>> On Wednesday, February 6, 2013 at 5:06 PM, mar...@v.loewis.de >>> (mailto:mar...@v.loewis.de) wrote: >>>>> Javascript hosted on packages.python.org (http://packages.python.org) has >>>>> access to cookies on >>>>> python.org (http://python.org), If python.org (http://python.org) has >>>>> any sort of login it's trivial to steal a session cookie. >>>>> >>>> >>>> >>>> >>>> No, it doesn't. Cookies for "python.org (http://python.org)" are not >>>> available to >>>> "packages.python.org (http://packages.python.org)". >>>> It would have to be a cookie for ".python.org (http://python.org)". We >>>> don't issue such cookies. >>>> >>> >>> http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies >>> >>> Specifically: >>> >>> Note: according to one of the specs, domain wildcards should be marked with >>> a preceeding period, so .example.com (http://example.com) would denote a >>> wildcard match for the entire domain - including, somewhat confusingly, >>> example.com (http://example.com) proper - whereas foo.example.com >>> (http://foo.example.com) would denote an exact host match. Sadly, no >>> browser follows this logic, and domain=example.com (http://example.com) is >>> exactly equivalent to domain=.example.com (http://example.com). There is no >>> way to limit cookies to a single DNS name only, other than by not >>> specifying domain= value at all - and even this does not work in Microsoft >>> Internet Explorer; likewise, there is no way to limit them to a specific >>> port. >> >> A forced redirect from python.org to www.python.org (http://www.python.org) >> should fix this, >> provided that no service on *.python.org (http://python.org) uses a >> .python.org (http://python.org) >> (or python.org (http://python.org)) cookie. >> >> > > http://en.wikipedia.org/wiki/Session_fixation > > packages.python.org can set a .python.org cookie which www.python.org will > read.
Right, but if you want to steal session cookies from e.g. www.python.org or pypi.python.org, you'd be interested in the other way around, I suppose, unless you want to invest a lot in social engineering :-) In any case, if the systems on the various sub-domains of python.org allow session fixation attacks, we should probably get those fixed. And additionally, redirect (and move) packages.python.org to some new top-level domain, so that we can avoid cross sub-domain attacks and "only" have to deal with cross site style attacks ;-) -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Feb 06 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
