Summary: | Cookie expiry vulnerability security flaw | ||
---|---|---|---|
Product: | [Applications] konqueror | Reporter: | Preston De Guise <preston.deguise> |
Component: | kcookiejar | Assignee: | Unassigned bugs mailing-list <unassigned-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | NOR | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Platform: | Mandrake RPMs | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: |
Description
Preston De Guise
2003-01-09 03:03:00 UTC
I should note: This problem occurs with the standard KDE 3.0.3 that comes with Mandrake 9 and KDE 3.1 RC5 from the Mandrake Cooker section. It would appear that cookies that should expire are expired if you restart konqueror. i tried with 1.php <? setCookie("foo","bar",time()+60,"/"); ?> and 2.php <? if (isset($foo)) { print("foo is set"); } else { print ("foo is not set"); } ?> it seems to work correctly (after a while, 2.php says 'foo is not set' again) kde 3.1RC6 (and i just tested with 3.0.5a too) you can test it here http://kervel.mine.nu:8080/~kervel/cookietest/1.php http://kervel.mine.nu:8080/~kervel/cookietest/2.php http://kervel.mine.nu:8080/~kervel/cookietest/3.php deletes the cookie by giving it a past expire time. Subject: Re: Cookie expiry vulnerability security flaw Hi, OK, so it works with PHP. I wonder if it's a CGI only problem? Mind you, you're using two versions I haven't had a chance to test yet so I'll try RC6 as soon as the cooker RPMs are releaseed... Cheers, -Preston. kervel@drie.kotnet.org wrote: > ------- You are receiving this mail because: ------- > You reported the bug, or are watching the reporter. > > http://bugs.kde.org/show_bug.cgi?id=52776 > > > > > ------- Additional Comments From kervel@drie.kotnet.org 2003-01-09 04:20 ------- > i tried with > 1.php > <? > setCookie("foo","bar",time()+60,"/"); > ?> > > and > 2.php > <? > if (isset($foo)) { > print("foo is set"); > } else { > print ("foo is not set"); > } > ?> > > it seems to work correctly (after a while, 2.php says 'foo is not set' > again) > kde 3.1RC6 (and i just tested with 3.0.5a too) > > you can test it here > > http://kervel.mine.nu:8080/~kervel/cookietest/1.php > > http://kervel.mine.nu:8080/~kervel/cookietest/2.php > > http://kervel.mine.nu:8080/~kervel/cookietest/3.php deletes the cookie by giving > it a past expire time. Subject: Re: Cookie expiry vulnerability security flaw Please provide a URL where we can reproduce this behaviour. If you set the cookie policy to ask, what is the expire time as reported by the cookie dialog? Cheers, Waldo Subject: Re: Cookie expiry vulnerability security flaw
> ------- Additional Comments From bastian@kde.org 2003-01-09 13:16 -------
> Subject: Re: Cookie expiry vulnerability security flaw
>
> Please provide a URL where we can reproduce this behaviour. If you set the
> cookie policy to ask, what is the expire time as reported by the cookie
> dialog?
It will take me +3 weeks to supply a URL at the moment as I'm on the road and
don't have access to an externally available webserver.
However, here's a snippet of CGI code...
use CGI;
my $query = new CGI;
my $cookie = $query->cookie(-name=>"CookieName",
-value=>"$username|$password",
-expires=>"+1h");
print $query->header(-cookie=>[$cookie]);
print $query->end_html;
I don't know if attachments are accepted by the bug list but I've attached a
screen-shot of the offending cookie. This was from me logging into the system a
few minutes ago :)
The "expires" string on the cookie is "2003-01-10 09:28", which means it should
expire at 09:28 this morning. However, experience tells me that it will remain
there until such time as I restart konqueror.
Cheers,
-Preston de Guise.
Subject: Re: Cookie expiry vulnerability security flaw
> ------- Additional Comments From bastian@kde.org 2003-01-09 13:16 -------
> Subject: Re: Cookie expiry vulnerability security flaw
>
> Please provide a URL where we can reproduce this behaviour. If you set the
> cookie policy to ask, what is the expire time as reported by the cookie
> dialog?
I should have answered your second question - sorry. I'll blame that on a lack
of coffee :)
If I turn on prompt-for-confirmation for the cookies it correctly shows an
expiry time 1 hour into the future - e.g., 2002-01-10 09:34
Cheers,
-Preston
Fixed. Back ported into the upcoming 3.1 release branch as well. See http://lists.kde.org/?t=104208048400003&r=1&w=2. Regards, Dawit A. Subject: Re: Cookie expiry vulnerability security flaw
Hi,
Dawit Alemayehu wrote:
> ------- You are receiving this mail because: -------
> You reported the bug, or are watching the reporter.
>
> http://bugs.kde.org/show_bug.cgi?id=52776
> adawit@kde.org changed:
>
> What |Removed |Added
> ----------------------------------------------------------------------------
> Status|UNCONFIRMED |RESOLVED
> Resolution| |FIXED
>
>
>
> ------- Additional Comments From adawit@kde.org 2003-01-10 02:56 -------
> Fixed. Back ported into the upcoming 3.1 release branch as well. See
> http://lists.kde.org/?t=104208048400003&r=1&w=2.
Thanks to everyone for working on this. Again I'm much impressed with the
efforts of the KDE team.
I look forward to trying to next release.
Cheers,
-Preston
|