[1290] in WWW Security List Archive
Re: caching protected documents
daemon@ATHENA.MIT.EDU (Brain21)
Wed Dec 20 19:23:04 1995
Date: Wed, 20 Dec 1995 17:08:47 -0500 (EST)
From: Brain21 <brain21@montag33.residence.gatech.edu>
To: www-security@ns1.rutgers.edu
cc: wwilson@umich.edu, jsw@netscape.com
In-Reply-To: <30D7C5F0.37E1@netscape.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 20 Dec 1995, Jeff Weinstein wrote:
> that the "authentication key"(password) was somehow being saved by
> netscape. In fact it was not, and what he was seeing was the result of
> a minor bug in the caching code, displaying a page that should have
> been thrown out of the cache. If the server was ever contacted again,
> a real username and password would have to be typed to access protected
> pages.
>
Unless I misunderstand, this is not correct. I have accessed a
page w/ netscape, I then gave it some information (filled out a form) and
submitted it. Upon clicking on submit I was prompted for a UID and
password. It then submitted the information, and took me to another page
for the result of the search. Upon hitting the "Back" key I was returned to
the form with the information typed in (IOW, exactly how it looked before I
clicked on submit). I could then erase the data in the window (form) and
enter new data, click on submit, and get the database information, all
w/o being asked for the password upon submitting the form. I never
really thought too much about this since the office that I work in is
accessed by only 3 other people all of whom have access to this
database. However, it appears that while you would have to submit your
UID and password if the pages are bookmarked, you would not if it is
during the same session. If I access a protected document in a session,
and then go to perhaps yahoo, then minimize my client and go to the
bathroom anyone can come up to my machine, and just start hitting the
"Back" button until they get to the page with the form. There is NO
prompt for a password.
What does this mean?? This is NOT necessarily a cacheing problem!!!
I go to a page. The page is a form, say for corporate information or
proprietary documents. I input the name of the information or document
for the client to access. Say I fill in the form the word IRS. I hit
submit and I am prompted for a password (so far ONLY the page w/ the
form, an unprotected page, is in the cache). I enter my UID and my
password. I am authenticated, and taken to the protected page with all
of our companies tax info. So far there are two pages in the cache: the
original form page (blank), and the protected IRS-info page. Now I click
on yahoo in my book mark, OR I manually type in the address, or I follow
a link. Now Yahoo is in the cache, and I am "away" from the server with
the form and IRS-info-protected page. I have three pages in the cache.
I perform a search, and browse the web for a while. I then start to hit
the "Back" button. I am back at yahoo. I hit "Back" again, and I am at
the IRS-info-protected page, and NO PASSWORD was asked of me. There it
is. Here's the good part.... I hit "Back" again and I am at the first
cached page, the form page, with the key-word IRS *STILL* in the form.
So what do I do? I double-click on the words IRS and enter CIA and hit
"submit." I am now taken to the CIA-info page, a NON-CACHED PAGE, and I
am NOT ASKED for a password. So, I am not prompted for a password and am
taken to a page that is supposed to require it. As long as I can get to
that form page ion the same session, I can get anything from that form
w/o needing a password. Now where's our T-Shirts?
