Vigil@nce - IE: cookie reading via a proxy
February 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When Internet Explorer is configured to use the same proxy for
HTTP and HTTPS, some queries are sent to another site, so an
attacker can for example obtain victim’s cookies.
Impacted products: IE
Severity: 1/4
Creation date: 31/01/2013
DESCRIPTION OF THE VULNERABILITY
Internet Explorer can be configured to send its queries to a
proxy, which downloads documents, and then return them to the
user. The same proxy can be configured for HTTP (port 80) and
HTTPS (HTTP in SSL, port 443) sessions.
However, when several successive connections are requested for an
HTTPS server, and then when an HTTP connection is requested for
another site, Internet Explorer asks the proxy to continue to use
the first server, but to send it cookies belonging to the second
site.
When Internet Explorer is configured to use the same proxy for
HTTP and HTTPS, some queries are therefore sent to another site,
so an attacker can for example obtain victim’s cookies.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/IE-cookie-reading-via-a-proxy-12362