Freely subscribe to our NEWSLETTER

This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

An attacker can set up a Man in the Middle, in order to alter a
cookie, even if it was set in an HTTPS session with the "secure"
attribute.

Severity: 2/4

Creation date: 12/08/2011

IMPACTED PRODUCTS

– Microsoft Internet Explorer
– Mozilla Firefox
– Mozilla SeaMonkey
– Opera

DESCRIPTION OF THE VULNERABILITY

The HTTP protocol defines cookies (RFC 2109):
– the server returns a cookie to the client
– the client sends this cookie for each new connection to the
server

For example:
– the client connects to https://server/page1 and obtains a cookie
– the client connects to https://server/page2 and sends this
cookie
– the client connects to http://server/page3 and sends this cookie
The cookie was obtained in a secured session ("https://" = HTTP on
SSL) of the page1, and is sent for page 3 as "http://", which
means that it flows in clear form on the network. To forbid this
behavior, the "secure" attribute of a cookie indicates that it can
only be sent to the server in the SSL session.

However, the "secure" attribute does not forbid the cookie to be
set or overwritten by a clear session. An attacker can therefore:

– wait for the victim to have a cookie ("secure" or not) from
https://server/
– intercept another HTTP session to any web site, and reply with
an HTTP redirect to http://server/
– intercept the query to http://server/, and reply with a new
value for the cookie

The web browser then accepts to change the cookie previously
obtained in the SSL session.

An attacker can therefore set up a Man in the Middle, in order to
alter a cookie, even if it was set in an HTTPS session with the
"secure" attribute.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/Firefox-IE-Opera-altering-HTTPS-Cookies-10921