CVE-2004-1527

Vulnerability

Microsoft Internet Explorer 6.0 Service Pack 1 contains a vulnerability in its cookie handling logic. The browser fails to properly validate certain character strings in the Path attribute when accepting cookies. This allows an attacker to craft a cookie with a Path attribute that, under specific conditions, can overwrite a cookie issued by a different domain. The affected version is Internet Explorer 6.0 SP1 [2].

Exploitation

An attacker must be able to send a crafted cookie to a victim's browser. Two preconditions facilitate exploitation: (1) the attacker's domain name is contained within the target's domain name, or (2) the target site uses wildcard DNS, causing the attacker's IP address to be contained within the target's IP address. Once these conditions are met, the attacker can set a cookie with a crafted Path attribute that overwrites the legitimate cookie of the target domain, effectively hijacking the session [2].

Impact

Successful exploitation allows the attacker to overwrite cookies belonging to another domain. This can lead to session hijacking, enabling the attacker to impersonate a legitimate user and gain unauthorized access to web applications and services [2].

Mitigation

Microsoft addressed this vulnerability in Windows XP Service Pack 2. Users unable to upgrade can configure Internet Explorer to prompt before accepting cookies: navigate to Internet Options > Privacy > Advanced, check "Override automatic cookie handling", set First-party Cookies to "Prompt", and click OK [2].