[9023] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Bigfoot/Bellsouth Webmail bug

daemon@ATHENA.MIT.EDU (Madere, Russel)
Sun Jan 10 14:33:59 1999

Date: 	Sat, 9 Jan 1999 17:32:20 -0600
Reply-To: "Madere, Russel" <rmadere@STEI.COM>
From: "Madere, Russel" <rmadere@STEI.COM>
X-To:         jnj@ais-bbs.org
To: BUGTRAQ@NETSPACE.ORG

Yes.  I logged out immediately loaded the cached page and just hit the Login
button again and got right in.  On another machine, I logged in and logged
out.  I let the browser site for 1 hour and repeated the previous
experiment, I repeated with 2 and 3 hour intervals as well.  Each time, I
was able to simply hit the Login button and log in.

Russel

                -----Original Message-----
                From:   James Nerlinger, Jr. [mailto:jnj@AIS-BBS.ORG]
                Sent:   Friday, January 08, 1999 11:58 AM
                To:     BUGTRAQ@NETSPACE.ORG
                Subject:        Re: Bigfoot/Bellsouth Webmail bug

                >I seem to have found another "bug" with the
Bigfoot/Bellsouth Webmail.
                >Users can log back into the service from cached pages.
This is a huge
                >security hole, especially for users access these services
from public
                >terminals.  Subsequent users can just use the back button
to go back in the
                >previous session history and log in as the previous user.


                This is not uncommon in web based email & conferencing
packages, however,
                most are authored to only allow this for a certain amount of
time and to
                disregard the attempt if the user logged out properly.  Out
of curiosity,
                did you test this with the two variables of time and a
logout?

                James

home help back first fref pref prev next nref lref last post