On Mon, Jan 18, 1999 at 03:24:09PM -0800, Dave Pifke wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > This bug has been fixed in most webmail clients for quite some time now, > but I guess some people just don't see security as a design priority. > > The free, web-based mail client at www.angelfire.com passes authentication > data in the URL. So your authentication token hapilly gets logged if > you use a proxy server or follow a link in a mail message (via the HTTP > referrer header). Actually, squid logs those requests upto the ? by default, removing the parameter part. Greetz, Peter. -- <squeezer> AND I AM GONNA KILL MIKE | Peter van Dijk <squeezer> hardbeat, als je nog nuchter bent: | peterat_private <squeezer> @date = localtime(time); | realtime security d00d <squeezer> $date[5] += 2000 if ($date[5] < 37); | <squeezer> $date[5] += 1900 if ($date[5] < 99); | * blah *
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:18 PDT