[Bug 163774] Questions about domain name policies in /usr/share/apps/khtml/domain_info
Stephane Bortzmeyer
bortzmeyer+kde at nic.fr
Thu Jun 19 09:32:48 BST 2008
On Mon, Jun 16, 2008 at 01:27:54PM +0100,
Richard Moore <richmoore44 at gmail.com> wrote
a message of 21 lines which said:
> IIRC it is to deal with the cross-domain cookie issue Paul Johnston
> and I reported in 2004. See
> http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt
Well, the attacks described in this paper are all because of bad
practices from Web applications, no? For instance, the attack:
1) http://example.ltd.uk/ is identified for attack. It uses the "sid"
cookie to hold the session ID.
2) Attacker obtains attacker.ltd.uk domain
3) User is enticed to click link to http://attacker.ltd.uk/
4) This site sets the "sid" cookie with domain=.ltd.uk
5) When user logs into example.ltd.uk, they are using a sesion ID known
to the attacker.
6) Attacker now has a logged-in session ID and has compromised the
user's account.
works only if, at step 5), example.ltd.uk is stupid enough to reuse
the session ID (a fresh one should be generated if there is a
successful authentication).
Also, it does not address my other questions:
2) Some TLD like ".fr" (for which I work) but also ".af", ".dz", etc,
register both in the TLD and in subdomains. How is it handled?
3) How is this file maintained? Suppose we open ".pm" (which we,
AFNIC, also manage) tomorrow with a "2 level" policy, how long will
it take for this information to arrive in every Konqueror?
More information about the kfm-devel
mailing list