[11421] in bugtraq
Re: IE5 ACL protected pages viewable from cache by unauthorized u
daemon@ATHENA.MIT.EDU (Paul Leach (Exchange))
Thu Aug 19 08:03:17 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <19398D273324D3118A2B0008C7E9A569FADE38@SIT.platinum.corp.microsoft.com>
Date: Tue, 17 Aug 1999 10:39:35 -0700
Reply-To: "Paul Leach (Exchange)" <paulle@EXCHANGE.MICROSOFT.COM>
From: "Paul Leach (Exchange)" <paulle@EXCHANGE.MICROSOFT.COM>
X-To: "J.Kent Robinson" <krobinson@TEAMLEX.COM>,
BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
The IE cache in Windows NT is per-user, and ACLd so only that user has
access. From your description, it appears that the "unauthorized" user was
running using the same account in the same logon session as the "authorized"
user. (Closing the browser and reopening it doesn't count.) So, as far as
the OS is concerned, it's the same user, and both are equally authorized.
Logout and log back in as a different user.
(There is an option to tell IE to clear the cache after the browser closes.
But nothing short of logout is spec'd to work completely.)
Paul
