[32723] in bugtraq
Re: netscreen flaw?
daemon@ATHENA.MIT.EDU (Bryan Burns)
Fri Dec 5 17:34:38 2003
In-Reply-To: <6.0.0.22.1.20031205140914.032ab470@203.167.127.4>
Mime-Version: 1.0 (Apple Message framework v606)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <648ACE2B-2766-11D8-80B3-000393DC9036@netscreen.com>
Content-Transfer-Encoding: 7bit
Cc: firewalls@securityfocus.com, bugtraq@securityfocus.com
From: Bryan Burns <bburns@netscreen.com>
Date: Fri, 5 Dec 2003 13:02:53 -0800
To: tito <mochafrap@mix.ph>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This issue has been resolved in ScreenOS 5.0, which was released last
month.
In ScreenOS 4.0, if you are concerned with a malicious user using your
browser session to access the NetScreen web UI, you should quit the
browser application manually when you step away from your computer or
when you have finished using the web UI.
- --
Bryan Burns
Manager, Security Operations
NetScreen Technologies, Inc.
bburns@netscreen.com
On Dec 4, 2003, at 10:15 PM, tito wrote:
> Hi!
>
> I have 5 NS500 boxes here with these details:
>
> Hardware Version: 4110(0)
> Software Version:
> 4.0.3r4.0 (Firewall+VPN)
>
> using netscreen's web UI on management,
> with the Idle timeout set to 15 minutes or if I
> want to logout, Internet Explorer would prompt me
>
> "The Web page you are viewing is trying to close the window.
> Do you want to close this window?"
>
> http://192.168.20.250/close.html*0
>
> If I choose no, and go back to the navigator bar to re-enter the
> Netscreen management IP address
>
> http://192.168.20.250
>
> will lead you directly to the home page
>
> http://192.168.20.252/top.html*6,1,1
>
> I don't have to enter any login credentials
> to be able to to peak or tweak the firewall...
>
> this shouldn't be the case (even if you tell me
> to logout then close the window at all times,
> even if I disable cookies)(can't browse the web UI
> with my Internet Explorer security settings set to high.)
>
> as the idle timeout must always require me to re-enter
> my username/password after n minutes of inactivity.
>
> what do you think?
>
> thanks,
>
> tito basa
> makati, philippines
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.545 / Virus Database: 339 - Release Date: 11/27/2003
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQE/0PKCouMQmLsNgw8RArxnAJ9xyv0CUVvOcuaZgcQLmmz5FtBD4gCggki8
qSO1s4ZJGFEgwuL+XGDaIwE=
=FqQ6
-----END PGP SIGNATURE-----
