Bugtraq mailing list archives
Fw: Reported Proxy-Netscape Bug
From: mark () ntshop net (Mark Joseph Edwards)
Date: Tue, 8 Jul 1997 10:44:56 -0500
This is a multi-part message in MIME format. ------=_NextPart_000_01BC8B8B.F9A0A0E0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit
From: David Andrews <xxxx () netscape com> To: MJE <mark () ntsecurity net>; fred () DOTCOM FR Date: Friday, July 04, 1997 2:25 AM Subject: Reported Proxy-Netscape BugMark and Fred, I am sending you this to request that you update the following web
page
on the Squid Proxy issue ( http://www.ntsecurity.net/security/ns4.htm).
Overall, I believe that the web page incorrectly points to Netscape as the source of the problem when the proxy is the issue. Please take
a
look at the below. History: * We first heard about the bug through a call from a reporter yesterday afternoon (7/3 @ 2;30 USA west coast). * Next, our engineers started looking into the report, and we attempted to contact you and Squid. Here's What We Found: * The problem is a user name/password bug in the Squid Proxy. In general, users should be concerned authenticating via FTP is in
the
clear. * Squid takes user name and password, returns it in a URL, stores
it
in an HTML page and also stores it in its own log file. * On the client side, the user name and password ends up in the user's history file. The Risk: * Exploiting the bug would require that a hacker break into the
Proxy
or the client. * Proxy side. If someone can access the server logs, they can get the user name and password information for users. * No problem from the client side. The reported issue exposes the password to the user and the Proxy server operator only. A
hacker
would have to separately attempt to break into the user's
computer
to try and steal the information. User information cannot be
taken
by exploiting reported privacy bug because it has been fixed. What Netscape Is Doing: * We are working with Squid to assist them in patching their
product.
Thanks, David M. Andrews Sr. Security Product Manager Netscape Communications Corp. ----------------------
------=_NextPart_000_01BC8B8B.F9A0A0E0 Content-Type: TEXT/X-VCARD; charset="us-ascii"; name="vcard.vcf" Content-ID: <Pine.SUN.3.94.970708095426.19651E () dfw dfw net> Content-Transfer-Encoding: 7bit Content-Description: Card for David M. Andrews begin: vcard fn: David M. Andrews n: Andrews;David M. org: <img src="http://home.netscape.com/inserts/images/lighthouse.gif"> Netscape Communications Corp. adr: 685 E. Middlefield Road;;MS: MV-032;Mountain View;California;94043-4042;USA email;internet: dandrews () netscape com title: Sr .Security Product Manager tel;work: 415-937-4772 tel;fax: 415-428-4097 tel;home: 800-905-1094 x-mozilla-cpt: ;0 x-mozilla-html: TRUE end: vcard ------=_NextPart_000_01BC8B8B.F9A0A0E0--
Current thread:
- Vulnerability in websendmail, (continued)
- Vulnerability in websendmail Razvan Dragomirescu (Jul 04)
- tar-error inter (Jul 05)
- Solution to MacDNS problem (keywords MacDNS DNS Macintosh Dan Brown (Jul 07)
- Vulnerability in websendmail (fwd) Julian Assange (Jul 07)
- Alert: Utility allows any user to become a member of local Admini Aleph One (Jul 08)
- Re: Vulnerability in websendmail Randal Schwartz (Jul 08)
- SGI Security Advisory 19970502-02-PX - xlock Vulnerability SGI Security Coordinator (Jul 08)
- Buffer Overflows exploit for SunOS 4.1.4 Willy TARREAU (Jul 08)
- GetAdmin NT exploit Christopher Klaus (Jul 08)
- Inside GetAdmin Mark Joseph Edwards (Jul 08)
- Fw: Reported Proxy-Netscape Bug Mark Joseph Edwards (Jul 08)