Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3

• To: hickey@ctron.com
• Subject: Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• From: DaVe McComb <dave.mccomb@gs.com>
• Date: Mon, 18 Dec 1995 18:43:25 -0500 (EST)
• Cc: "Lincoln D. Stein" <lstein@genome.wi.mit.edu>, www-security@ns2.rutgers.edu, jcarroll@redman.canada.dg.com, tara@linkage.cpmc.columbia.edu, nerds@genome.wi.mit.edu
• In-Reply-To: <ML-2.0.819327482.8052.hickey@minkus>

I think that if this is to be considered a bug, then the bug must be that 
Netscape caches password protected pages at all.  The bug is not really 
that you can access those old cached "protected" pages through the 
browser by canceling the authentication and then using the "Back" 
button -- you could just as easily access those pages through the file 
system, or with the browser by accessing something like:

	file:/home/userid/.netscape/cache/10/cache30D5F9B006C638B

The problem also becomes having the proper file permissions set (which 
Netscape handles) so that no one else can access your cached pages, and 
the problems that arise through use of a shared browser.

So, if you're using a colleague's copy of Netscape to access protected 
pages, make sure you clear the cache and exit the browser when you're 
done if you don't want him to see any old copies of those pages.


-DaVe
 mccomb@is.gs.com		Information Security/Goldman Sachs
 Voice : (212) 357-1939		85 Broad St. 85B/09,  NY, NY 10004
 Fax   : (212) 357-1884		Beeper: 1(800)800-7759

On Mon, 18 Dec 1995 hickey@ctron.com wrote:

> This is a bug that we found a little while ago. It was not present in version
> 1.X, but it was introduced with the 2.0 code. 
> 
> There are two versions of this bug that is really the same one. 
> 
> 	1. If you have your "verify document" set to once per session, then
> 	   you can cancel on an authorization attempt, go to an unprotected
> 	   URL and use the back button to get the text. The images on the 
> 	   page are attempted to be retrieved and produce authorization
> 	   attempts. 
> 
> 	2. The second is the one scenerio is the one that Lincoln has
> 	   witnessed. When the "verify document" is set to never, the
> 	   browser can be tricked into getting the document out of the
> 	   cache without authenication. 
> 
> If I remember correctly, the browser works as expected when you have the
> "verify document" set to everytime. Essentially everytime you attempt to 
> get the document, the browser will do a HEAD on the document, and the server
> will force the authentication.
> 
> Clearly, this is a bug in the browser, but I think that it is somewhat 
> understandable it being overlooked by the programmers at Netscape.
> --
> Gerard Hickey, hickey@ctron.com, +1 603 337 7391/+1 603 337 7784 (fax)
> Cabletron Systems, 36 Industrial Way, Rochester, NH   03867
> ======================================================================
> Cabletron Systems Webmaster (webmaster@ctron.com)
> http://www.ctron.com/~hickey/
> 
> 

• Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• From: hickey@ctron.com

• Previous: Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
• Next: Enterprise Security CFP
• Index(es):
  • Index
  • Thread