Re: Another web-based mail reader hole

From: Peter van Dijk (peterat_private)
Date: Tue Jan 19 1999 - 09:45:50 PST

Next message: Jared Mauch: "Re: Remote Cisco Identification"

Previous message: Sergey V. Kolychev: "ANNOUNCE: Net::RawIP 0.03 released"
Maybe in reply to: Dave Pifke: "Another web-based mail reader hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jan 18, 1999 at 03:24:09PM -0800, Dave Pifke wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> This bug has been fixed in most webmail clients for quite some time now,
> but I guess some people just don't see security as a design priority.
>
> The free, web-based mail client at www.angelfire.com passes authentication
> data in the URL.  So your authentication token hapilly gets logged if
> you use a proxy server or follow a link in a mail message (via the HTTP
> referrer header).

Actually, squid logs those requests upto the ? by default, removing the parameter
part.

Greetz, Peter.
--
<squeezer> AND I AM GONNA KILL MIKE                |          Peter van Dijk
<squeezer> hardbeat, als je nog nuchter bent:      | peterat_private
<squeezer>   @date = localtime(time);              |  realtime security d00d
<squeezer>   $date[5] += 2000 if ($date[5] < 37);  |
<squeezer>   $date[5] += 1900 if ($date[5] < 99);  |        * blah *

Next message: Jared Mauch: "Re: Remote Cisco Identification"
Previous message: Sergey V. Kolychev: "ANNOUNCE: Net::RawIP 0.03 released"
Maybe in reply to: Dave Pifke: "Another web-based mail reader hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:29:18 PDT