> > We call it "Misfortune Cookie" over the affected vulnerable HTTP cookie > parsing module, but MITRE insists on CVE-2014-9222 >
To be honest I'm getting rather annoyed by how Check Point is (mis)handling this vulnerability. I mean, there is already a "cool marketing name", there is a website dedicated to it, there is already this huge FAQ not answering the basic questions, etc. But there is no information on it except for "vulnerability in the Cookie parsing module of these SOHO". Seriously, if you can't disclose the vulnerability yet, please don't spam with its marketing materials. Last I checked "full disclosure" was actually about disclosing technical information and not passing links to marketing sites. Otherwise, please provide basic information as a technical description of the vulnerability (which allows reproduction) or a PoC to test whether a given device is vulnerable. Please note that you've already given enough information for the attackers to just find the vulnerability (as in "please reverse engineer the cookie parsing in this model"), so you're not doing anyone a favor by trying to play it out like this. Regards, -- Gynvael _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
