Closed Bug 157787 Opened 23 years ago Closed 23 years ago

Online Banking with "Deutsche Bank" is broken

Categories

(Core :: Networking: Cookies, defect, P1)

Product:
Core
Component:
Networking: Cookies
Platform:
DEC
All
Type:
defect

Tracking

()

Status:
VERIFIED WORKSFORME
Milestone:
mozilla1.0.1

People

(Reporter: KaiE, Assigned: morse)

References

(
URL
)

Details

(Keywords: regression, Whiteboard: [adt1 RTM] [ETA 7/18])

Seen on the Mozilla 1.0 branch. Online Banking with "Deutsche Bank" is broken The culprit is a checkin with bug 155114 to the branch. After doing cvs update -j1.48.2.12 -j1.48.2.13 mozilla/extensions/cookie/nsCookies.cpp it works again. You can easily see the bug. Go to https://meine.db24.de If you have a working browser, you'll see a form prompting to enter your account number and password etc. If you have a browser showing the bug, including the latest branch builds, you'll see a lengthy text message (german), explaining that you should turn on cookies.
Sorry, the correct backout command is: cvs update -j1.48.2.10 -j1.48.2.9 mozilla/extensions/cookie/nsCookies.cpp
Blocks: 143047
Keywords: mozilla1.0.1, nsbeta1+, regression
Whiteboard: [adt2 RTM] [ETA Needed]
Target Milestone: --- → mozilla1.0.1
Here's what's happening in the case of Deutsche Bank. It is setting a cookie with a path attribute of "/mod/WebObjects/db24". Then an http request is made for the URL "/mod/WebObjects/db24.woa/439/wo/sKI28f0xKypvwEDoQWrJI0/0.0.FrameMain.3" That satisfies the RFC2109 cookie spec because the path attribute is a prefix of the requesting URL. But it opens the door to the attack described in bug 155114. So we need a fix for this that won't reintroduce the attack.
Status: NEW → ASSIGNED
Priority: -- → P1
How does IE work, if it doens't have the problem? (as mentioned in bug 115114 comment 3) Why is this bug security-sensitive, anyway?
Can we just take the looser definition of path that the site seems to be using and the RFC can be read to allow? It still stops the worst of the bug 155114 abuses (bar can't read foo cookies) while still allowing some (foobar could read foo cookies, as in this case). It's probably much more important to keep Deutsche Bank working than to protect freehost.com/jsmith cookies from freehost.com/jsmithers.
Whiteboard: [adt2 RTM] [ETA Needed] → [adt1 RTM] [ETA Needed]
Whiteboard: [adt1 RTM] [ETA Needed] → [adt1 RTM] [ETA 7/18]
Patch will be put in bug 155114. Once that is checked in, this report can be closed as wfm.
*** Bug 156981 has been marked as a duplicate of this bug. ***
*** Bug 156571 has been marked as a duplicate of this bug. ***
bug 155114 has been resolved/fixed and marked fixed1.0.1. can this one now be resolved as wfm, or should we wait for bug 155114 to be verified?
Yes, it certainly does work for me now.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → WORKSFORME
It works for me, too, using my own Linux build. Thanks!
tever: tom can you pls verify this as WFM on the 1.0 branch? thanks!
verified wfm branch and trunk - 07/23/02 builds winNT4, linux rh6, mac osX need to re-test this once bug 155114 is fixed
Status: RESOLVED → VERIFIED
Keywords: verified1.0.1
FYI: DB24 actually does listen to qualified feedback, after a few tries :). PIng me the next time, I am their customer and use the online backing regularily.
Group: security?
Keywords: mozilla1.0.1
Whiteboard: [adt1 RTM] [ETA 7/18]
Pls do not remove ADT Status Whiteboard markings as they are there for reference, should this bug be reopened, or the issue needs to be researched further. thanks!
Whiteboard: [adt1 RTM] [ETA 7/18]
You need to log in before you can comment on or make changes to this bug.