Microsoft IE Cookie Disclosure Vulnerability

IE determines whether or not to provide cookie information by comparing the domain of the host requesting the cookie to the domain of the host that provided the cookie. In URLs, this procedure ignores escaped characters, so that the URL http: // will be properly determined to be originating from, while the URL http: // will be misinterpreted as originating from, and all cookies on the victim's system will be freely issued to

Referring IE to such a URL makes it possible for a malicious web site to view a users cookies from the target domain. It is also possible to exploit this by sending HTML email to the target, using the hostile URL as the src value of an IFRAME. Such an email could easily include several different URLs, each pulling cookies from a seperate domain.


Privacy Statement
Copyright 2010, SecurityFocus