From: william@interval.net (William C. Archibald)
Date: Wed, 27 Sep 95 08:51:43 PDT
To: rfb@lehman.com
Subject: Re: [NOISE] Re: Easter Eggs
Message-ID: <9509271550.AA13262@entropy.interval.net>
MIME-Version: 1.0
Content-Type: text/plain



alano@teleport.com <Alan Olsen> ]:
>    obNetscapeHack: There is a feature called a "cookie file" in
>    Netscape that is ripe for exploitation as a security leak.  If you
>    are using a Netscape server (and you may not even need that), you
>    can feed all sorts of information into it without the user's
>    knowlege.  I have heard of one page that overloads the cookie file
>    until the machine runs out of drive space.  I am sure that there
>    are other exploitable holes there...  Any takers?
Umm. The spec says that there is a maximum cookie size and a maximum
number of cookies that should be sent. I'll be the last to claim
that Netscape created a 'standards-compliant' product, but they
have at least recognized that these things aren't supposed to be
infinitely large.

rfb@lehman.com <Rick Busdiecker> ]:
> Yikes!  That sounds really bad.  Do you have any more information on
> this?  For example, can the server write to anything other than
> $HOME/.netscape-cookies?  If I write protect that file, but it's still
> owned by me, will Netscape still modify it?
The server can't write anything. Cookies are returned as HTTP 
response headers, which will either be:
	A) Ignored by a cookie-ignorant browser, or, 
	B) Processed by a cookie-aware browser.

In either case, the cookie cache reading/writing is done by the
browser. If the browser is running as 'you' then it can access
files that 'you' own. If you write protect it against yourself, then
its likely that your user-agent (Netscape) running as 'you' can't
write to that file.

Cheers!
w. archibald
=