funsec mailing list archives
Re: This sounds like a security disaster just waiting to happen...
From: Steve Pirk <orion () pirk com>
Date: Wed, 29 Apr 2009 15:33:53 -0700 (PDT)
On Wed, 29 Apr 2009, Rich Kulawiec wrote:
On Wed, Apr 29, 2009 at 12:27:41PM -0700, Steve Pirk wrote:
... embarassing comments deleted ...
safe enough, no?Well...I'm not so sure. I mean, if we grant the "done correctly" part for the sake of argument, it sounds to me like a file F requested by user A on system X may be cached on system Y used by user B, even if user B does not have the appropriate permissions for file F. If that's the case, and it may not be, then a security issue with system Y or user B could expose file F. Is this how others are reading it?
After I got up off the floor laughing at the who's on first beauty of the above logic chart, it hit me that this probably would not be limited to "internet" cached data, but possibly all internal web data as Rich says. Right away I thought of ACL content (auth/auth) that is web based within a company tagged "your eyes only" that could be cached. Quick, how many apps do _not_ use windows domain based auth/auth to determine who is allowed to see content. Ick. This would be bad where I work. "read the entire blurb steve..." -steve _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: This sounds like a security disaster just waiting to happen..., (continued)
- Re: This sounds like a security disaster just waiting to happen... Steve Pirk (Apr 29)
- Re: This sounds like a security disaster just waiting to happen... Jeff Kell (Apr 29)
- Re: This sounds like a security disaster just waiting to happen... Valdis . Kletnieks (Apr 29)
- Re: This sounds like a security disaster just waiting to happen... Steve Pirk (Apr 29)
- Re: This sounds like a security disaster just waiting to happen... Larry Seltzer (Apr 29)
- Re: This sounds like a security disaster just waiting to happen... Valdis . Kletnieks (Apr 29)
- Re: This sounds like a security disaster just waiting to happen... Steve Pirk (Apr 29)
- Re: This sounds like a security disaster just waiting to happen... Jason Ross (Apr 29)
- Re: This sounds like a security disaster just waiting to happen... Jon Kibler (Apr 29)
- Re: This sounds like a security disaster just waiting to happen... Paul Ferguson (Apr 29)
- Re: This sounds like a security disaster just waiting to happen... Rich Kulawiec (Apr 29)
- Re: This sounds like a security disaster just waiting to happen... Steve Pirk (Apr 29)
- Re: This sounds like a security disaster just waiting to happen... Rich Kulawiec (May 03)