Home page logo

bugtraq logo Bugtraq mailing list archives

RE: Microsoft IE cookies readable via about: URLS
From: "Per Arne Johansson" <perarne () johansson com>
Date: Mon, 12 Nov 2001 14:06:35 +0100

-----Original Message-----
From: Nick FitzGerald [mailto:nick () virus-l demon co uk] 
Sent: Friday, November 09, 2001 3:51 PM
To: bugtraq () securityfocus com
Cc: Jouko Pynnonen
Subject: Re: Microsoft IE cookies readable via about: URLS

A better workaround (assuming that you feel cookies are "relatively 
useful" and would rather not turn them off) is to put about: URLs 
into the Restricted Sites zone, as detailed in Andrew Clover's 
followup to his own post:


In short, create a DWORD value named "about" under:


and set it to 4.

I just tested this against your test page and with the above value set,
the test tells me "No cookies found for site...". 
Interestingly, this registry change seems to have almost immediate
effect -- i.e. it did not require a restart or >>>>>logout/login or even

an IE exit/restart (I did this on Win2K) but occasionally, when 
running the test page over and over alternating back and forward 
between having the above value set and not present (the default), the 
page would work as if the registry value had not yet been changed.

I have tried this workaround it works as described and without a reboot.
However it breaks certain applications that use the "Internet Explorer
Server Window" most notably Yahoo Instant messanger 5. I does not affect
versions 3 or 4. My version of YAIM is 5,0,0,1036.
The effect in short the "Internet Explorer Server Window"  remains blank
not showing the IM texts.

This might be due to poor design om yahoos part, but I am posting it as
it may effect other applications aswell and might not be a good
workaround for all.

Best Regards,

Per Arne Johansson

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]