[9011] in bugtraq
Re: Bigfoot/Bellsouth Webmail bug
daemon@ATHENA.MIT.EDU (James Nerlinger, Jr.)
Sat Jan 9 15:17:25 1999
X-Mdaemon-Deliver-To: bugtraq@netspace.org
Date: Fri, 8 Jan 1999 12:58:20 -0500
Reply-To: jnj@ais-bbs.org
From: "James Nerlinger, Jr." <jnj@AIS-BBS.ORG>
X-To: "Madere, Russel" <rmadere@STEI.COM>
To: BUGTRAQ@NETSPACE.ORG
>I seem to have found another "bug" with the Bigfoot/Bellsouth Webmail.
>Users can log back into the service from cached pages. This is a huge
>security hole, especially for users access these services from public
>terminals. Subsequent users can just use the back button to go back in the
>previous session history and log in as the previous user.
This is not uncommon in web based email & conferencing packages, however,
most are authored to only allow this for a certain amount of time and to
disregard the attempt if the user logged out properly. Out of curiosity,
did you test this with the two variables of time and a logout?
James