[9011] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Bigfoot/Bellsouth Webmail bug

daemon@ATHENA.MIT.EDU (James Nerlinger, Jr.)
Sat Jan 9 15:17:25 1999

X-Mdaemon-Deliver-To: bugtraq@netspace.org
Date: 	Fri, 8 Jan 1999 12:58:20 -0500
Reply-To: jnj@ais-bbs.org
From: "James Nerlinger, Jr." <jnj@AIS-BBS.ORG>
X-To:         "Madere, Russel" <rmadere@STEI.COM>
To: BUGTRAQ@NETSPACE.ORG

>I seem to have found another "bug" with the Bigfoot/Bellsouth Webmail.
>Users can log back into the service from cached pages.  This is a huge
>security hole, especially for users access these services from public
>terminals.  Subsequent users can just use the back button to go back in the
>previous session history and log in as the previous user.


This is not uncommon in web based email & conferencing packages, however,
most are authored to only allow this for a certain amount of time and to
disregard the attempt if the user logged out properly.  Out of curiosity,
did you test this with the two variables of time and a logout?

James

home help back first fref pref prev next nref lref last post