>>Even the one(s) only accessable on the specified domain set in the cookie?
ALL of them.
Using a specially encoded URL, I was able to access ANY cookie on the user's
system. The only thing the attacker needs to know is what domain's cookies
he wants from the user.
Michael J. Sheldon
Internet Applications Developer
Phone: 480.699.1084
http://www.desertraven.com/
PGP Key Available on Request
-----Original Message-----
From: Todd Ashworth [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 16, 2000 19:13
To: [EMAIL PROTECTED]
Subject: Re: "You have nice cookies .. mind if I have a look?"
Even the one(s) only accessable on the specified domain set in the cookie?
----- Original Message -----
From: Owens, Howard <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, May 16, 2000 6:45 PM
Subject: RE: "You have nice cookies .. mind if I have a look?"
>
> I went to the site and was able to search for any domain that has set
> cookies on my computer. The full Amazon cookie could be pulled up
> (thankfully, one-click is not enabled on this machine).
>
>
> H.
>
> =========================
> Howard Owens
> Web Producer
> InsideVC.com
> mailto:[EMAIL PROTECTED]
> =========================
>
> > -----Original Message-----
> > From: Todd Ashworth [SMTP:[EMAIL PROTECTED]]
> > Sent: Tuesday, May 16, 2000 3:36 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: "You have nice cookies .. mind if I have a look?"
> >
> > I'm not sure .. of course all the reports I've seen are going for shock
> > value and leaving the technical details usefull to the rest of us out.
> > You
> > could test it I suppose. You could set such a cookie on your computer
and
> > then go to the test site mentioned in the article and see if the exploit
> > can
> > find your cookie .. it gives you the option to type in a speciffic
domain
> > name to search for. It would be really kinda cool if it wasn't a
> > potential
> > hazard.
> >
> > BTW, Amazon and friends encrypt their cookies, from what I've heard.
> > Anyone
> > have any CF related info on doing the same?
----------------------------------------------------------------------------
--
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
