Microsoft IE Cookie Disclosure Vulnerability

IE determines whether or not to provide cookie information by comparing the domain of the host requesting the cookie to the domain of the host that provided the cookie. In URLs, this procedure ignores escaped characters, so that the URL http: //www.attacker.com/gimmie_your_cookies.html?target.com will be properly determined to be originating from attacker.com, while the URL http: //www.attacker.com%2fgimmie_your_cookies.html%3f.attacker.com will be misinterpreted as originating from target.com, and all target.com cookies on the victim's system will be freely issued to attacker.com.

Referring IE to such a URL makes it possible for a malicious web site to view a users cookies from the target domain. It is also possible to exploit this by sending HTML email to the target, using the hostile URL as the src value of an IFRAME. Such an email could easily include several different URLs, each pulling cookies from a seperate domain.


 

Privacy Statement
Copyright 2010, SecurityFocus