Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3

• To: DaVe McComb <dave.mccomb@gs.com>
• Subject: Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• From: lstein@genome.wi.mit.edu (Lincoln D. Stein)
• Date: Mon, 18 Dec 1995 15:13:23 -0500
• Cc: www-security@ns2.rutgers.edu, jcarroll@redman.canada.dg.com, tara@linkage.cpmc.columbia.edu, nerds@genome.wi.mit.edu

I believe you're right.  Netscape is cacheing the protected document to
disk and then returning it on subsequent sessions without requiring
reauthentication by the user.  This is still a major uh-oh, but not nearly
as bad as my first hypothesis that Netscape was storing passwords to disk.

Lincoln

>I think you're getting the disk cache confused with Netscape's
>authentication.  Your demonstration page will not work correctly if you
>flush the disk cache before attempting it.
>
>A better test would be to follow steps 1 - 3 on your page, the modify the
>protected page in some way.  Then, follow steps 4 - 8 on your page.  You
>won't see the modifications to your page, but rather you'll see the old
>document that you had previously accessed and that is now in your disk
>cache.
>
>Your demonstration also fails, if you do the following:
>
> - go to Netscape's options -> Network Preferences menu
> - change "Verify Document" to "Every Time"
>
>Your demonstration no longer works due to that fact, that you are not
>loading the page from cache, but requesting it each time from the server.
>
>-DaVe
> mccomb@is.gs.com               Information Security/Goldman Sachs
> Voice : (212) 357-1939         85 Broad St. 85B/09,  NY, NY 10004
> Fax   : (212) 357-1884         Beeper: 1(800)800-7759
>
>On Mon, 18 Dec 1995, Lincoln D. Stein wrote:
>
>> For those who are having trouble reproducing this bug, there is a
>> demonstration at URL.  Note that this URL is _not_ a Netscape server, but
>> Apache.  The bug is on the browser side, not the server side.
>>
>>         http://www-genome.wi.mit.edu/~lstein/unprotected/
>>
>> Lincoln
>>
>> ========================================================================
>> Lincoln Stein, M.D.,Ph.D.                       lstein@genome.wi.mit.edu
>> Director: Informatics Core
>> MIT Genome Center                               (617) 252-1916
>> Whitehead Institute for Biomedical Research     (617) 252-1902 FAX
>> One Kendall Square
>> Cambridge, MA 02139
>> =================http://www-genome.wi.mit.edu/~lstein====================
>>
>>
>>

========================================================================
Lincoln Stein, M.D.,Ph.D.                       lstein@genome.wi.mit.edu
Director: Informatics Core
MIT Genome Center                               (617) 252-1916
Whitehead Institute for Biomedical Research     (617) 252-1902 FAX
One Kendall Square
Cambridge, MA 02139
=================http://www-genome.wi.mit.edu/~lstein====================

• Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• From: hickey@ctron.com

• Previous: Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• Next: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• Index(es):
  • Index
  • Thread