[3462] in WWW Security List Archive
Re: CGI Security
daemon@ATHENA.MIT.EDU (Robert S. Muhlestein)
Tue Nov 5 18:21:58 1996
Date: Tue, 5 Nov 1996 12:51:40 -0800 (PST)
From: "Robert S. Muhlestein" <robertm@teleport.com>
To: Saeid Parivash <PARIVASH@cc1.unt.edu>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <5ACAB120976@cc1.unt.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 4 Nov 1996, Saeid Parivash wrote:
> Their is a security problem with the above CGI application. What if
> the user is in the lab, and does not close his navigator. Some one
> can come along and click on the "back button" on their browser, and
> find out the user ID and PIN #.
I'm afraid this is a policy issue. Form data is not cached when most
browser's shut down. It would require that someone always shut the
application down. Most consider this to be standard security policy.
Couple basic lab monitoring with some easy way to frequently change the
password and you've probably topped out the possibilities.
----------------------------------------------------------------------
Robert S. Muhlestein
Web Technologist
NIKE, Inc.
Work: robert.muhlestein@nike.com
Personal: rmuhle@q7.com
Old: robertm@teleport.com
(Opinions and comments are my own, not NIKE's.)
----------------------------------------------------------------------
