[Previous] [Next] [Index]
[Thread]
Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
I think you're getting the disk cache confused with Netscape's
authentication. Your demonstration page will not work correctly if you
flush the disk cache before attempting it.
A better test would be to follow steps 1 - 3 on your page, the modify the
protected page in some way. Then, follow steps 4 - 8 on your page. You
won't see the modifications to your page, but rather you'll see the old
document that you had previously accessed and that is now in your disk
cache.
Your demonstration also fails, if you do the following:
- go to Netscape's options -> Network Preferences menu
- change "Verify Document" to "Every Time"
Your demonstration no longer works due to that fact, that you are not
loading the page from cache, but requesting it each time from the server.
-DaVe
mccomb@is.gs.com Information Security/Goldman Sachs
Voice : (212) 357-1939 85 Broad St. 85B/09, NY, NY 10004
Fax : (212) 357-1884 Beeper: 1(800)800-7759
On Mon, 18 Dec 1995, Lincoln D. Stein wrote:
> For those who are having trouble reproducing this bug, there is a
> demonstration at URL. Note that this URL is _not_ a Netscape server, but
> Apache. The bug is on the browser side, not the server side.
>
> http://www-genome.wi.mit.edu/~lstein/unprotected/
>
> Lincoln
>
> ========================================================================
> Lincoln Stein, M.D.,Ph.D. lstein@genome.wi.mit.edu
> Director: Informatics Core
> MIT Genome Center (617) 252-1916
> Whitehead Institute for Biomedical Research (617) 252-1902 FAX
> One Kendall Square
> Cambridge, MA 02139
> =================http://www-genome.wi.mit.edu/~lstein====================
>
>
>
Follow-Ups:
References: