[Previous] [Next] [Index]
[Thread]
Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
I believe you're right. Netscape is cacheing the protected document to
disk and then returning it on subsequent sessions without requiring
reauthentication by the user. This is still a major uh-oh, but not nearly
as bad as my first hypothesis that Netscape was storing passwords to disk.
Lincoln
>I think you're getting the disk cache confused with Netscape's
>authentication. Your demonstration page will not work correctly if you
>flush the disk cache before attempting it.
>
>A better test would be to follow steps 1 - 3 on your page, the modify the
>protected page in some way. Then, follow steps 4 - 8 on your page. You
>won't see the modifications to your page, but rather you'll see the old
>document that you had previously accessed and that is now in your disk
>cache.
>
>Your demonstration also fails, if you do the following:
>
> - go to Netscape's options -> Network Preferences menu
> - change "Verify Document" to "Every Time"
>
>Your demonstration no longer works due to that fact, that you are not
>loading the page from cache, but requesting it each time from the server.
>
>-DaVe
> mccomb@is.gs.com Information Security/Goldman Sachs
> Voice : (212) 357-1939 85 Broad St. 85B/09, NY, NY 10004
> Fax : (212) 357-1884 Beeper: 1(800)800-7759
>
>On Mon, 18 Dec 1995, Lincoln D. Stein wrote:
>
>> For those who are having trouble reproducing this bug, there is a
>> demonstration at URL. Note that this URL is _not_ a Netscape server, but
>> Apache. The bug is on the browser side, not the server side.
>>
>> http://www-genome.wi.mit.edu/~lstein/unprotected/
>>
>> Lincoln
>>
>> ========================================================================
>> Lincoln Stein, M.D.,Ph.D. lstein@genome.wi.mit.edu
>> Director: Informatics Core
>> MIT Genome Center (617) 252-1916
>> Whitehead Institute for Biomedical Research (617) 252-1902 FAX
>> One Kendall Square
>> Cambridge, MA 02139
>> =================http://www-genome.wi.mit.edu/~lstein====================
>>
>>
>>
========================================================================
Lincoln Stein, M.D.,Ph.D. lstein@genome.wi.mit.edu
Director: Informatics Core
MIT Genome Center (617) 252-1916
Whitehead Institute for Biomedical Research (617) 252-1902 FAX
One Kendall Square
Cambridge, MA 02139
=================http://www-genome.wi.mit.edu/~lstein====================
Follow-Ups: