[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[escepticos] mejor desactivad el javascript del IE, por si acaso



Hola, hola.

Aunque contrariamente a Borja yo creo que la culpa de todo la tiene Yoko
Ono, os informo de nuevo agujero de seguridad en el Internet Explorer.

Si tenéis activado el javascript, cualquiera puede leer vuestrar cookies.
No es algo execesivamente peligroso, pero un poco sí. Depende de lo que
guardeis en ellas. Y quién sabe si a la incapacidad de microsoft se
juntará la da algún otro que guarde información realmente importante en
las cookies.

Las cookies, para quien no lo sepa, son ficheritos que guardas en tu
ordenador (si las aceptas, claro) con alguna información que algún
servidor web establece, de forma que cuando vuelves a conectar a ese
servidor puede recuperarla. Para ejemplos, ver el anexo.

Saludos,
	Carlitos

(http://www.peacefire.org/security/iecookies/)

How it works
Using a specially constructed URL, a Web site can read Internet Explorer
cookies set from any domain. For example, to read a user's Amazon.com
cookie, a site could direct
the user's browser to:
http://www.peacefire.org%2fsecurity%2fiecookies%2fshowcookie.html%3F.amazon.com
If you replace the "%2f"'s with "/" characters, and the "%3F" with "?",
this URL is actually:
http://www.peacefire.org/security/iecookies/showcookie.html?.amazon.com
But IE gets confused and thinks the page is located in the Amazon.com
domain, so it allows the page to read the user's Amazon.com cookie. 

Affected:
Internet Explorer (all known versions) for Windows 95, 98 and NT. IE for
the Macintosh and IE for UNIX do not appear to be affected, and no version
of Netscape Navigator
or any other browser is vulnerable. 

Workaround:
If you are using Internet Explorer for Windows, the safest workaround is
to disable JavaScript. Apparently when the browser loads one of these
"funny" URL's like 
http://www.peacefire.org%2fsecurity%2fiecookies%2fshowcookie.html%3F.amazon.com
the Amazon.com cookie is only available to JavaScript code on the page; it 
is not submitted to the server in an HTTP header. Also, if you have 
Netscape's browser installed, it is not affected by the bug. 

Implications

Jamie McCarthy came up with a list of cookies set by various sites that
could be used to retrieve sensitive information: 

      By intercepting a cookie set by HotMail, Yahoo Mail or any other
free Web-based email sites that use cookies for authentication, the 
operator of a hostile Web site could break into a visitor's HotMail
account and read the contents of their Inbox. (HotMail cookies do not
contain user passwords, but they do allow a third party to access a user's
HotMail account for as long as that user stays logged in, since each
separate login generates a new cookie.) 
      A user's Amazon.com cookie could be used to visit Amazon.com 
impersonating that user, and access their real name, email address, and 
the user's list of "recommended titles" -- which can be used to determine
what types of books or CD's the user has purchased from Amazon in the
past. (You cannot, however, access the user's credit card number or their
actual list of previous Amazon.com orders, since accessing this
information requires a password that is not contained in the cookie.) 
      A user's MP3.com cookie stores their email address. 
      A user's NYTimes.com cookie stores their NYTimes.com password. This
isn't useful by itself, since the password is only needed to browse
articles on NYTimes.com, but exposing this password is still dangerous since
users might have the same password set up for several different sites. 
      A user's Hollywood.com cookie stores their city, state, and zip
code. 
      A user's Playboy.com cookie stores the fact that the user has
visited Playboy.com -- which not every Playboy visitor would want the
whole world to know. (Yeah, we know, you just wanted to read the Jesse
Ventura interview.)