[1271] in WWW Security List Archive
Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
daemon@ATHENA.MIT.EDU (Webmaster)
Tue Dec 19 12:04:47 1995
Date: Tue, 19 Dec 1995 14:58:11 +0100 (MET)
From: Webmaster <iorlas@netg.se>
To: www-security@ns2.rutgers.edu
In-Reply-To: <ML-2.0.819327482.8052.hickey@minkus>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 18 Dec 1995 hickey@ctron.com wrote:
> > I believe you're right. Netscape is cacheing the protected document to
> > disk and then returning it on subsequent sessions without requiring
> > reauthentication by the user. This is still a major uh-oh, but not nearly
> > as bad as my first hypothesis that Netscape was storing passwords to disk.
> >
> > Lincoln
> >
>
> This is a bug that we found a little while ago. It was not present in version
> 1.X, but it was introduced with the 2.0 code.
>
> There are two versions of this bug that is really the same one.
>
> 1. If you have your "verify document" set to once per session, then
> you can cancel on an authorization attempt, go to an unprotected
> URL and use the back button to get the text. The images on the
> page are attempted to be retrieved and produce authorization
> attempts.
>
> 2. The second is the one scenerio is the one that Lincoln has
> witnessed. When the "verify document" is set to never, the
> browser can be tricked into getting the document out of the
> cache without authenication.
>
I have a question after reading about caching the protected file.
How does it work if you are using a proxy server? Does it store
protected files? I guess that would imply a much more severe hole,
but then I don't know how the proxy server works... can someone
enlighten me ?
------------------------------------------
Magnus Lundgren NetGuide/TerraTel
iorlas@netg.se +46 (0)31 50 79 40
webmaster@netg.se
