Re: Bigfoot/Bellsouth Webmail bug

From: James Nerlinger, Jr. (jnj@ais-bbs.org)
Date: Fri Jan 08 1999 - 09:58:20 PST

Next message: Daniel J. Frasnelli: "ff.core exploit on Solaris (2.)7"

Previous message: Donald McLachlan: "Summary: security and multicast"
Maybe in reply to: Madere, Russel: "Bigfoot/Bellsouth Webmail bug"
Next in thread: Madere, Russel: "Re: Bigfoot/Bellsouth Webmail bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>I seem to have found another "bug" with the Bigfoot/Bellsouth Webmail.
>Users can log back into the service from cached pages.  This is a huge
>security hole, especially for users access these services from public
>terminals.  Subsequent users can just use the back button to go back in the
>previous session history and log in as the previous user.


This is not uncommon in web based email & conferencing packages, however,
most are authored to only allow this for a certain amount of time and to
disregard the attempt if the user logged out properly.  Out of curiosity,
did you test this with the two variables of time and a logout?

James

Next message: Daniel J. Frasnelli: "ff.core exploit on Solaris (2.)7"
Previous message: Donald McLachlan: "Summary: security and multicast"
Maybe in reply to: Madere, Russel: "Bigfoot/Bellsouth Webmail bug"
Next in thread: Madere, Russel: "Re: Bigfoot/Bellsouth Webmail bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:14 PDT