[Previous] [Next] [Index]
[Thread]
Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
> I believe you're right. Netscape is cacheing the protected document to
> disk and then returning it on subsequent sessions without requiring
> reauthentication by the user. This is still a major uh-oh, but not nearly
> as bad as my first hypothesis that Netscape was storing passwords to disk.
>
> Lincoln
>
This is a bug that we found a little while ago. It was not present in version
1.X, but it was introduced with the 2.0 code.
There are two versions of this bug that is really the same one.
1. If you have your "verify document" set to once per session, then
you can cancel on an authorization attempt, go to an unprotected
URL and use the back button to get the text. The images on the
page are attempted to be retrieved and produce authorization
attempts.
2. The second is the one scenerio is the one that Lincoln has
witnessed. When the "verify document" is set to never, the
browser can be tricked into getting the document out of the
cache without authenication.
If I remember correctly, the browser works as expected when you have the
"verify document" set to everytime. Essentially everytime you attempt to
get the document, the browser will do a HEAD on the document, and the server
will force the authentication.
Clearly, this is a bug in the browser, but I think that it is somewhat
understandable it being overlooked by the programmers at Netscape.
--
Gerard Hickey, hickey@ctron.com, +1 603 337 7391/+1 603 337 7784 (fax)
Cabletron Systems, 36 Industrial Way, Rochester, NH 03867
======================================================================
Cabletron Systems Webmaster (webmaster@ctron.com)
http://www.ctron.com/~hickey/
Follow-Ups:
References: