---------------------------------------------------------------------- SNS Advisory No.79 A Possibility of Cookie Overwrite in Microsoft Internet Explorer Problem first discovered on: Mon, 01 Sept 2003 Published on: Mon, 15 Nov 2004 ---------------------------------------------------------------------- Severity Level: --------------- Low Overview: --------- Microsoft Internet Explorer contains a vulnerability that could cause a Cookie to be overwritten under certain conditions. Problem Description: -------------------- Microsoft Internet Explorer fails to check certain character strings when accepting cookies. If Internet Explorer accepts a cookie with a crafted Path attribute, it becomes possible to overwrite a cookie issued by another site under specific conditions. [Preconditions for the exploit] 1. If the target domain name contains the attacker's domain name, or if the target IP address contains the attacker's IP address 2. If the target site is running a Web service on a wildcard domain Exploitation therefore, could make it possible for attackers to hijack Web sessions and login as legitimate users. Tested Versions: ---------------- Microsoft Internet Explorer 6.0 Service Pack 1 Solution: --------- If you use Windows XP, apply Service Pack 2. Or as an alternative workaround, change the configuration as follows: 1. When accepting a cookie, please set to prompt a dialog in [Internet Options]. 1) Go to [Privacy] -> [Advanced] 2) In the "Cookies" section, check the "Override automatic cookie handling" checkbox. 3) Under First-party Cookies, select [Prompt] 4) Click [OK] 2. Please choose [Block Cookie] to cancel cookies that do not start with "/". Discovered by: -------------- Keigo Yamazaki Acknowledgements: ----------------- Microsoft Co., Ltd Disclaimer: ----------- The information contained in this advisory may be revised without prior notice and is provided as it is. Users shall take their own risk when taking any actions following reading this advisory. LAC Co., Ltd. shall take no responsibility for any problems, loss or damage caused by, or by the use of information provided here. This advisory can be found at the following URL: http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/79_e.html ------------------------------------------------------------------ Secure Net Service(SNS) Security Advisory Computer Security Laboratory, LAC http://www.lac.co.jp/security/ -- Editor's Note: The 43rd Most Powerful Person in Networking says... Register today to take the TruSecure ICSA exam by 12/31/04 at , use promo code "CT1204" and you will pay just $221.25 US Dollars for domestic exam delivery and $296.25 US Dollars for international delivery. Visit for complete details regarding the TICSA credential and to take the free sample exam.