Security researcher Xiaofeng Zheng of the Blue Lotus Team at Tsinghua University reported reported that a Web Proxy returning a 407 Proxy Authentication response with a Set-Cookie header could inject cookies into the originally requested domain. This could be used for session-fixation attacks. This attack only allows cookies to be written but does not allow them to be read.
CPE | Name | Operator | Version |
---|---|---|---|
firefox | lt | 35 | |
firefox esr | lt | 31.4 | |
seamonkey | lt | 2.32 | |
thunderbird | lt | 31.4 |