Re: Bigfoot/Bellsouth Webmail bug

From: Madere, Russel (rmadereat_private)
Date: Sat Jan 09 1999 - 15:32:20 PST

  • Next message: Thamer Al-Herbish: "Re: setuid vs. setgid (was Re: Anonymous Qmail Denial of Service)" 

    Yes.  I logged out immediately loaded the cached page and just hit the Login
button again and got right in.  On another machine, I logged in and logged
out.  I let the browser site for 1 hour and repeated the previous
experiment, I repeated with 2 and 3 hour intervals as well.  Each time, I
was able to simply hit the Login button and log in.

Russel

                -----Original Message-----
                From:   James Nerlinger, Jr. [mailto:jnj@AIS-BBS.ORG]
                Sent:   Friday, January 08, 1999 11:58 AM
                To:     BUGTRAQat_private
                Subject:        Re: Bigfoot/Bellsouth Webmail bug

                >I seem to have found another "bug" with the
Bigfoot/Bellsouth Webmail.
                >Users can log back into the service from cached pages.
This is a huge
                >security hole, especially for users access these services
from public
                >terminals.  Subsequent users can just use the back button
to go back in the
                >previous session history and log in as the previous user.


                This is not uncommon in web based email & conferencing
packages, however,
                most are authored to only allow this for a certain amount of
time and to
                disregard the attempt if the user logged out properly.  Out
of curiosity,
                did you test this with the two variables of time and a
logout?

                James

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:23 PDT