Title: Microsoft Internet Explorer Cookie Disclosure Vulnerability
Severity: HIGH
Description:
Internet Explorer contains a vulnerability that could allow an attacker to retrieve and modify cookie information associated with arbitrary websites.
This vulnerability is due to an error parsing hostnames. Specially formatted hostnames can lead to malicious websites being able to read and modify the cookies that other websites have set.
Cookies set in a client are only to be accessed by the website that issued them. When a website attempts to retrieve a cookie, the client compares the hostname of the site to those associated with cookies. If a cookie exists on the client computer that is associated with the website hostname, it can be accessed. MSIE contains a vulnerability in the comparison operation that may allow for malicious webpages to view cookies associated with arbitrary websites.
When comparing the website hostname to those associated with cookies, a parsing error can cause only part of the website hostname to be compared. Certain characters can act as hostname 'terminators', causing substring preceeding the character to be treated as the entire hostname during comparison. The single space is one such character.
If an attacker can have a hostname with a 'space' (or another of the few characters that cause hostname 'termination') resolve to a legitimate website, the website can retrieve cookies associated with any domain that matches preceeding substring.
For example,
www.site.com%20malicious.website.com.
The attacker, running 'www.site.com%20malicious.website.com', would be able to retrieve cookies associated with 'www.site.com'.
Successful exploitation of this vulnerability could lead to the disclosure of sensitive information such as session IDs, authentication information, etc.
This could assist in further attacks against the user or the webservers that issued the cookies.
It should be noted that some web servers will not process requests of this type due to the malformed Host: header that is generated. As well, some proxy servers will also reject the request, resulting in IE generating a malformed request error.
Affected Products:
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 5.5 SP1
- Microsoft Internet Explorer 5.5 SP2
- Microsoft Internet Explorer 6.0
- Microsoft Windows ME
- Microsoft Windows Server 2003 Datacenter Edition
- Microsoft Windows Server 2003 Datacenter Edition Itanium
- Microsoft Windows Server 2003 Enterprise Edition
- Microsoft Windows Server 2003 Enterprise Edition Itanium
- Microsoft Windows Server 2003 Standard Edition
- Microsoft Windows Server 2003 Web Edition
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
References:
- Microsoft: Microsoft Security Bulletin MS01-055
- Microsoft: Microsoft Technet Security
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
