[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-wget] Supercookie issues
From: |
Tim Ruehsen |
Subject: |
[Bug-wget] Supercookie issues |
Date: |
Fri, 9 Nov 2012 16:27:35 +0100 |
User-agent: |
KMail/1.13.7 (Linux/3.2.0-4-amd64; KDE/4.8.4; x86_64; ; ) |
While implementing cookies for Mget (https://github.com/rockdaboot/mget)
conforming to RFC 6265, I stubled over http://publicsuffix.org/ (Mozilla
Public Suffix List).
Looking at Wget sources discovers, that there is just a very incomplete check
for public suffixes. That implies a very severe vulnerability to "supercookie"
attacks when cookies are switched on (they are by default).
Since Mget was ment as a Wget2 candidate (all or parts of the sources), please
feel free to copy the needed sourcecode from it (see cookie.c/cookie.h and
tests/test.c for test routines). Right now, I just don't have the time to do
the work, but of course I will answer your questions.
ShouldN't there be a warning within the docs / man pages.
What do you think ?
Regards, Tim
- [Bug-wget] Supercookie issues,
Tim Ruehsen <=