Poison MS Cookies (was Re: [TriLUG] Re: Wachovia Online Banking)
Jon Carnes
jonc at nc.rr.com
Sat Feb 9 01:23:41 EST 2002
The app was definately not RFC 2109 compliant... writting boogus tabular
information into the file containing the cookies, and the data contained
some encrypted fields with non-escaped special characters - I would have to
say that it was definately out of spec...
It did, however, have a consistant form that was easy to test for.
When someone tried to pull up one of Mailman's admin pages, it would simply
freeze and lock the config file. You never even got the prompt for your
authentication password. Of course it was reading the file that the cookie
would be stored in - looking to see if you had already authenticated.
> Just out of curiosity, Jon, could you explain a little bit
> more about what was messed up in the cookies, and what
> in mailman didn't play well with them. Were the cookies
> actually out of spec, or was mailman out of spec? Just
> curious.
>
> Thanks,
> Tanner
----------------------------------------
Content-Type: application/pgp-signature; name="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Description: This is a digitally signed message part
----------------------------------------
More information about the TriLUG
mailing list