Closed Bug 157787 Opened 22 years ago Closed 22 years ago

Online Banking with "Deutsche Bank" is broken

Categories

(Core :: Networking: Cookies, defect, P1)

Product:
Core
Component:
Networking: Cookies
Platform:
DEC
All
Type:
defect

Tracking

()

Status:
VERIFIED WORKSFORME
Milestone:
mozilla1.0.1

People

(Reporter: KaiE, Assigned: morse)

References

(
URL
)

Details

(Keywords: regression, Whiteboard: [adt1 RTM] [ETA 7/18]) 

Seen on the Mozilla 1.0 branch.

Online Banking with "Deutsche Bank" is broken

The culprit is a checkin with bug 155114 to the branch.

After doing
  cvs update -j1.48.2.12 -j1.48.2.13 mozilla/extensions/cookie/nsCookies.cpp
it works again.

You can easily see the bug.
Go to
  https://meine.db24.de

If you have a working browser, you'll see a form prompting to enter your account
number and password etc.

If you have a browser showing the bug, including the latest branch builds,
you'll see a lengthy text message (german), explaining that you should turn on
cookies.
Sorry, the correct backout command is:
  cvs update -j1.48.2.10 -j1.48.2.9 mozilla/extensions/cookie/nsCookies.cpp
Blocks: 143047
Keywords: mozilla1.0.1, nsbeta1+, regression
Whiteboard: [adt2 RTM] [ETA Needed]
Target Milestone: --- → mozilla1.0.1
Here's what's happening in the case of Deutsche Bank.

It is setting a cookie with a path attribute of

  "/mod/WebObjects/db24".

Then an http request is made for the URL

  "/mod/WebObjects/db24.woa/439/wo/sKI28f0xKypvwEDoQWrJI0/0.0.FrameMain.3"

That satisfies the RFC2109 cookie spec because the path attribute is a prefix of 
the requesting URL.  But it opens the door to the attack described in bug 
155114.  So we need a fix for this that won't reintroduce the attack.
Status: NEW → ASSIGNED
Priority: -- → P1
How does IE work, if it doens't have the problem? (as mentioned in bug 115114
comment 3)

Why is this bug security-sensitive, anyway?
Can we just take the looser definition of path that the site seems to be using
and the RFC can be read to allow? It still stops the worst of the bug 155114
abuses (bar can't read foo cookies) while still allowing some (foobar could read
foo cookies, as in this case).

It's probably much more important to keep Deutsche Bank working than to protect
freehost.com/jsmith cookies from freehost.com/jsmithers.
Whiteboard: [adt2 RTM] [ETA Needed] → [adt1 RTM] [ETA Needed]
Whiteboard: [adt1 RTM] [ETA Needed] → [adt1 RTM] [ETA 7/18]
Patch will be put in bug 155114.  Once that is checked in, this report can be 
closed as wfm.
*** Bug 156981 has been marked as a duplicate of this bug. ***
*** Bug 156571 has been marked as a duplicate of this bug. ***
bug 155114 has been resolved/fixed and marked fixed1.0.1. can this one now be
resolved as wfm, or should we wait for bug 155114 to be verified?
Yes, it certainly does work for me now.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → WORKSFORME
It works for me, too, using my own Linux build.

Thanks!

tever: tom can you pls verify this as WFM on the 1.0 branch? thanks!
verified wfm branch and trunk - 07/23/02 builds  winNT4, linux rh6, mac osX

need to re-test this once bug 155114 is fixed
Status: RESOLVED → VERIFIED
Keywords: verified1.0.1
FYI: DB24 actually does listen to qualified feedback, after a few tries :). PIng
me the next time, I am their customer and use the online backing regularily.
Group: security?
Keywords: mozilla1.0.1
Whiteboard: [adt1 RTM] [ETA 7/18]
Pls do not remove ADT Status Whiteboard markings as they are there for
reference, should this bug be reopened, or the issue needs to be researched
further. thanks!
Whiteboard: [adt1 RTM] [ETA 7/18]
You need to log in before you can comment on or make changes to this bug.