[16623] in bugtraq
Re: Intacct.com: Multiple bugs at financial services company
daemon@ATHENA.MIT.EDU (Andrew Pimlott)
Wed Sep 6 21:09:45 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000906151355.N16721@pimlott.ne.mediaone.net>
Date: Wed, 6 Sep 2000 15:13:55 -0400
Reply-To: Andrew Pimlott <andrew@PIMLOTT.NE.MEDIAONE.NET>
From: Andrew Pimlott <andrew@PIMLOTT.NE.MEDIAONE.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000906074800.A10422@unixzone.com>; from cmason@UNIXZONE.COM on
Wed, Sep 06, 2000 at 07:48:01AM -0400
On Wed, Sep 06, 2000 at 07:48:01AM -0400, Chris L. Mason wrote:
> I think there's a solution to this "problem" that is far too often
> overlooked. More sites simply need to start using HTTP Basic
> Access Authentication.
If you think this is the solution, you don't understand the
cross-site scripting class of vulnerabilities. Honest. Read
http://www.apache.org/info/css-security/ a few times.
HTTP authentication is just a limited cookie. It is basically not
possible for HTTP authentication to be more secure than cookies
(modulo implementation quirks). It can be less secure, because
there is no standard way to force (more accurately, advise)
expiration. If you don't understand why this is desirable, see
above. Hint: this is about protecting the client, not protecting
the server.
> 4. One user of a service can email another a URL from within the site, and
> the other user can actually use it, *and* be authenticated properly
> with their own id!
Exactly the problem. Do you really want
http://bank.example.com/transfer.cgi?amount=1000.00&recipient=apimlott
to "just work"? If you don't think I can trick you into going to
that URL, I bet you're wrong.
> I wish companies would focus on providing services as secure as possible at
> their end. You only control *your* systems, so focus on securing *them*.
Sure, let's all ignore our customers' security. In fairness,
hotmail.com, intacct.com, and many other sites seem to agree.
Andrew
