COMMAND

    cookie

SYSTEMS AFFECTED

    Systems runing Internet Explorer

PROBLEM

    Some recent  testing on  cookies has  shown that  the MS  Internet
    Explorer is  not very  particular about  where it  takes a  cookie
    from.  I found two cases where the IE takes a cookie for a  domain
    that is not the same as the server that sets it.

    Assume HTTP server in URL = www.domain.com

    If the domain  in the Set-Cookie  directive is a  substring of the
    tail of the server's domain, then the IE accepts the cookie.

    Example:
        domain=omain.com
        domain=main.com
        domain=n.com

    If the domain in the  Set-Cookie directive is the server's  domain
    name,  plus  any  single  preceeding  character,  the IE will also
    accept it.

    Example:
        domain=adomain.com
        domain=?domain.com

    In both cases, the IE creates  a cookie file on the hard  disk for
    the given domain and will submit  the cookie to an HTTP server  in
    that  domain  (i.e.  the  cookie  for  main.com  will  be  sent to
    www.main.com).   The IE  will not  send the  cookies for these new
    domains back to  the original server  (i.e. main.com cookie  won't
    be set to www.domain.com).

    Obviously, being able to write  cookies for someone else is  not a
    good thing, but something else  that I've thought of is  that this
    allows a single server to fill  up a browser's cookie cache.   The
    spec says that the browser  should have space for 300  cookies and
    a limit of 20 from an individual server.  Being able to write  for
    multiple domains,  it would  be trivial  to overflow  the cache At
    the very  least, a  malicious server  could fill  the IE  system's
    hard disk with a bunch of 4K files.

SOLUTION

    This  was  supposed  to  have  been  fixed  in IE 3.01.  It can be
    downloaded for free from www.microsoft.com.