Status
()
People
(Reporter: webmaster, Assigned: morse)
Tracking
Firefox Tracking Flags
(Not tracked)
Details
Many sites can be compromised by adding a fake cookie to cookies.txt. A common authentication technique is to store a cookie with the username, and to test for the presence of this in deciding whether to allow access. Unfortunately cookies are stored in cookies.txt in clear text, and it is therefore possible to add a fake entry and gain access to many sites. This needs fixing so that cookie names and values are encrypted so that people can't fake entry.
|
||
Comment 1•18 years ago
|
||
This would render the cookie manager completely useless. (IMHO, it's up to the site's owner to encrypt the value).
|
(Reporter) | |
Comment 2•18 years ago
|
||
Not true. The site should be able to trust that it is reading its own cookie. It is not enough to say that the site should 'do encryption'. Many (most?) web programmers are incompetent and won't do this.
|
(Assignee) | |
Comment 3•18 years ago
|
||
This is an interesting turn of events. Browser security concerns normally have to do with the site using the browser to attack the user. In this case, the user is using the browser to attack the site. It would certainly take a sophisticated user (i.e., a hacker) to know how to forge a cookie. That same user could modify the open-source browser code to do the forging for him, no matter how we encrypted the cookies file. So trying to protect the site from the user is a hopeless task. If the site has something to lose by being compromised in this manner, then I would agree with Gilles that the site should take some preventative measures and not the browser. I would think that most sites wouldn't care about this. Therefore my inclination is to close this as "wont fix". cc-ing some other security folks to see if they agree/disagree with me on this.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → WONTFIX
|
|
(Reporter) | |
Comment 4•18 years ago
|
||
> it would certainly take a sophisticated suer Open up cookies.txt. There in plain text (in mine): bugzilla.mozilla.org FALSE / FALSE 1877472107 Bugzilla_login webmaster@richinstyle.com How sophisticated do you need to be to work out what's going on there? [I bet a lot of high-profile sites could be compromised in this manner - I heard, for example, that Barclays bank, Britain's largest bank was hacked because the programmers were to stupid even to know about Pragma: no-cache (etc).]
|
||
Comment 5•18 years ago
|
||
Oh come on!!! Whatever we do with our cookies file, people can still send cookies to remote hosts using any network utility such as netcat or even telnet, which comes with every decent operating system on the planet! Any sites that can really be cracked by passing a "forged" cookie are so badly designed that they _deserve_ to be cracked. VERIFIED WONTFIX.
Status: RESOLVED → VERIFIED
|
||
Comment 6•18 years ago
|
||
One hint: Bugzilla_logincookie
|
||
Comment 7•18 years ago
|
||
I agree with the WONTFIX. This problem is up to the websites to fix, not the browser. It's too easy to work around any encryption we might put on the cookies file. Using cookies for site authentication is frowned upon anyway. And yes, this includes Bugzilla.
|
|
(Assignee) | |
Comment 8•17 years ago
|
||
*** Bug 116916 has been marked as a duplicate of this bug. ***
|
||
Comment 9•14 years ago
|
||
*** Bug 280285 has been marked as a duplicate of this bug. ***
You need to log in
before you can comment on or make changes to this bug.
Description
•