CVE-2014-1296 Information

Description

CFNetwork in Apple iOS before 7.1.1 Apple OS X through 10.9.2 and Apple TV before 6.1.1 does not ensure that a Set-Cookie HTTP header is complete before interpreting the header’s value which allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP connection during transmission of a header as demonstrated by an HTTPOnly restriction.

Reference

http://archives.neohapsis.com/archives/bugtraq/2014-04/0134.html http://archives.neohapsis.com/archives/bugtraq/2014-04/0135.html http://archives.neohapsis.com/archives/bugtraq/2014-04/0136.html