[Previous] [Next] [Index]
[Thread]
Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
I think that if this is to be considered a bug, then the bug must be that
Netscape caches password protected pages at all. The bug is not really
that you can access those old cached "protected" pages through the
browser by canceling the authentication and then using the "Back"
button -- you could just as easily access those pages through the file
system, or with the browser by accessing something like:
file:/home/userid/.netscape/cache/10/cache30D5F9B006C638B
The problem also becomes having the proper file permissions set (which
Netscape handles) so that no one else can access your cached pages, and
the problems that arise through use of a shared browser.
So, if you're using a colleague's copy of Netscape to access protected
pages, make sure you clear the cache and exit the browser when you're
done if you don't want him to see any old copies of those pages.
-DaVe
mccomb@is.gs.com Information Security/Goldman Sachs
Voice : (212) 357-1939 85 Broad St. 85B/09, NY, NY 10004
Fax : (212) 357-1884 Beeper: 1(800)800-7759
On Mon, 18 Dec 1995 hickey@ctron.com wrote:
> This is a bug that we found a little while ago. It was not present in version
> 1.X, but it was introduced with the 2.0 code.
>
> There are two versions of this bug that is really the same one.
>
> 1. If you have your "verify document" set to once per session, then
> you can cancel on an authorization attempt, go to an unprotected
> URL and use the back button to get the text. The images on the
> page are attempted to be retrieved and produce authorization
> attempts.
>
> 2. The second is the one scenerio is the one that Lincoln has
> witnessed. When the "verify document" is set to never, the
> browser can be tricked into getting the document out of the
> cache without authenication.
>
> If I remember correctly, the browser works as expected when you have the
> "verify document" set to everytime. Essentially everytime you attempt to
> get the document, the browser will do a HEAD on the document, and the server
> will force the authentication.
>
> Clearly, this is a bug in the browser, but I think that it is somewhat
> understandable it being overlooked by the programmers at Netscape.
> --
> Gerard Hickey, hickey@ctron.com, +1 603 337 7391/+1 603 337 7784 (fax)
> Cabletron Systems, 36 Industrial Way, Rochester, NH 03867
> ======================================================================
> Cabletron Systems Webmaster (webmaster@ctron.com)
> http://www.ctron.com/~hickey/
>
>
References: