Yes. I logged out immediately loaded the cached page and just hit the Login button again and got right in. On another machine, I logged in and logged out. I let the browser site for 1 hour and repeated the previous experiment, I repeated with 2 and 3 hour intervals as well. Each time, I was able to simply hit the Login button and log in. Russel -----Original Message----- From: James Nerlinger, Jr. [mailto:jnj@AIS-BBS.ORG] Sent: Friday, January 08, 1999 11:58 AM To: BUGTRAQat_private Subject: Re: Bigfoot/Bellsouth Webmail bug >I seem to have found another "bug" with the Bigfoot/Bellsouth Webmail. >Users can log back into the service from cached pages. This is a huge >security hole, especially for users access these services from public >terminals. Subsequent users can just use the back button to go back in the >previous session history and log in as the previous user. This is not uncommon in web based email & conferencing packages, however, most are authored to only allow this for a certain amount of time and to disregard the attempt if the user logged out properly. Out of curiosity, did you test this with the two variables of time and a logout? James
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:23 PDT