RE: Feature Addition

Christopher Hoover Thu, 28 Dec 2000 17:38:23 -0800

I'm not sure what thread model that you are considering.

Existing threats include:

(1) A (malicious) client may send a server a request containing whatever bogus cookies 
it wants regardless of the cookies the server actually sent (or didn't send).  A 
server must always be prepared for this.

(2) A (malicious) client may send a server a request with whatever host header it 
wants.  A server must always be prepared for this.

(3) A (malicious) server may send a client a respones with a bogus domain attribute in 
a cookie header.  A client must always be prepared for this.


Setting the domain attribute of a cookie header in a response to a client from the 
host header in that client's own request would allow a client to spoof itself and 
overwrite/erase its own cookies.  But it can manipulate its cookies directly.  
Advantage: none.

As long as the host header in one request doesn't affect the response to some other 
request (it would be quite strange if it did, eh?), there doesn't seem to be an 
obvious problem.

I'm not seeing a new threat ...  anybody else?

-ch

--
Christopher Hoover
CTO, Co-Founder, OneSpot, Inc.

tel: +1-408-562-9160
fax: +1-408-562-9161
cel: +1-408-348-0304

http://www.onespot.com/
mailto:[EMAIL PROTECTED]


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Jon Stevens
Sent: Thursday, December 28, 2000 2:57 PM
To: [EMAIL PROTECTED]
Subject: Feature Addition


Hey all,

CollabNet (who I work for) has a request to be able to modify JServ to allow
it to *optionally* set the Cookie domain= header to be based on what is sent
in the Host: header by the client. My gut feeling is that there is a
security hole in this somewhere just waiting to get exploited so I'm asking
here to see if anyone else thinks that this is a possible/good/bad idea.

The advantage of allowing this is that you can have JServ respond to any
number of domains with appropriately set cookies.

Comments?

-jon



--
----------------------------------------------------------
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
Archives and Other:  <http://java.apache.org/main/mail.html>
Problems?:           [EMAIL PROTECTED]



--
----------------------------------------------------------
To subscribe:        [EMAIL PROTECTED]
To unsubscribe:      [EMAIL PROTECTED]
Archives and Other:  <http://java.apache.org/main/mail.html>
Problems?:           [EMAIL PROTECTED]
RE: Feature Addition

Reply via email to
