[9023] in bugtraq
Re: Bigfoot/Bellsouth Webmail bug
daemon@ATHENA.MIT.EDU (Madere, Russel)
Sun Jan 10 14:33:59 1999
Date: Sat, 9 Jan 1999 17:32:20 -0600
Reply-To: "Madere, Russel" <rmadere@STEI.COM>
From: "Madere, Russel" <rmadere@STEI.COM>
X-To: jnj@ais-bbs.org
To: BUGTRAQ@NETSPACE.ORG
Yes. I logged out immediately loaded the cached page and just hit the Login
button again and got right in. On another machine, I logged in and logged
out. I let the browser site for 1 hour and repeated the previous
experiment, I repeated with 2 and 3 hour intervals as well. Each time, I
was able to simply hit the Login button and log in.
Russel
-----Original Message-----
From: James Nerlinger, Jr. [mailto:jnj@AIS-BBS.ORG]
Sent: Friday, January 08, 1999 11:58 AM
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Bigfoot/Bellsouth Webmail bug
>I seem to have found another "bug" with the
Bigfoot/Bellsouth Webmail.
>Users can log back into the service from cached pages.
This is a huge
>security hole, especially for users access these services
from public
>terminals. Subsequent users can just use the back button
to go back in the
>previous session history and log in as the previous user.
This is not uncommon in web based email & conferencing
packages, however,
most are authored to only allow this for a certain amount of
time and to
disregard the attempt if the user logged out properly. Out
of curiosity,
did you test this with the two variables of time and a
logout?
James