[18131] in bugtraq
Re: cache cookies?
daemon@ATHENA.MIT.EDU (MadHat)
Mon Dec 18 17:37:55 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: <5.0.2.1.0.20001215164020.0385b6e8@pop.unspecific.com>
Date: Fri, 15 Dec 2000 16:46:21 -0800
Reply-To: MadHat <madhat@UNSPECIFIC.COM>
From: MadHat <madhat@UNSPECIFIC.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200012150037.QAA15722@dilvish.speed.net>
At 04:37 PM 12/14/2000 -0800, you wrote:
>Thomas Reinke <reinke@E-SOFTINC.COM> writes:
> > Actually, it *does* work. We have on our site a
> > working demonstration of the exploit, showing whether or not
> > you've visited one or more of more than 80 different well known
> > sites. The URL is
> >
> > http://www.securityspace.com/exploit/exploit_2a.html
>
>Using default cache settings and with JavaScript enabled, and without any
>proxies in the picture, the exploit fails for me, saying "Cache Miss" for
>all entries, even ones just visited.
Also note that the page claims that all should be there (a "Cache Hit!!!")
once you have visited the test site, but just hitting reload showed about 5
or 6 that still showed "Cache Miss" using netscape 4.76 (all default) on
Win2k and as I keep hitting reload a different number and different sites
show "Cache Miss".
>This is with Netscape Communicator 4.75 (I know, still need to upgrade to
>4.76 due to the fixed buffer overflows) on Windows NT 4.0 and Netscape
>Navigator 3.04 on AIX 4.1.5.
>
>It did work with Internet Explorer, though.
>
>----------------------------------------------------------------------
>Dan Harkless | To prevent SPAM contamination, please
>dan-bugtraq@dilvish.speed.net | do not mention this private email
>SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
--
MadHat at unspecific.com
