Bugtraq mailing list archives

Fw: Reported Proxy-Netscape Bug

From: mark () ntshop net (Mark Joseph Edwards)
Date: Tue, 8 Jul 1997 10:44:56 -0500


This is a multi-part message in MIME format.

------=_NextPart_000_01BC8B8B.F9A0A0E0
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: 7bit

From: David Andrews <xxxx () netscape com>
To: MJE <mark () ntsecurity net>; fred () DOTCOM FR
Date: Friday, July 04, 1997 2:25 AM
Subject: Reported Proxy-Netscape Bug

Mark and Fred,

I am sending you this to request that you update the following web

page

on the Squid Proxy issue ( http://www.ntsecurity.net/security/ns4.htm).

Overall, I believe that the web page incorrectly points to Netscape
as the source of the problem when the proxy is the issue.  Please take

look at the below.

History:

  * We first heard about the bug through a call from a reporter
    yesterday afternoon (7/3 @ 2;30 USA west coast).
  * Next, our engineers started looking into the report, and we
    attempted to contact you and Squid.

Here's What We Found:

  * The problem is a user name/password bug in the Squid Proxy.  In
    general, users should be concerned authenticating via FTP is in

the

    clear.
  * Squid takes user name and password, returns it in a URL, stores

it

    in an HTML page and also stores it in its own log file.
  * On the client side, the user name and password ends up in the
    user's history file.

The Risk:

  * Exploiting the bug would require that a hacker break into the

Proxy

    or the client.
  * Proxy side.  If someone can access the server logs, they can get
    the user name and password information for users.
  * No problem from the client side.  The reported issue exposes the
    password to the user and the Proxy server operator only.  A

hacker

    would have to separately attempt to break into the user's

computer

    to try and steal the information.  User information cannot be

taken

    by exploiting reported privacy bug because it has been fixed.

What Netscape Is Doing:

  * We are working with Squid to assist them in patching their

product.


Thanks,
David M. Andrews
Sr. Security Product Manager
Netscape Communications Corp.
----------------------



------=_NextPart_000_01BC8B8B.F9A0A0E0
Content-Type: TEXT/X-VCARD;
        charset="us-ascii";
        name="vcard.vcf"
Content-ID: <Pine.SUN.3.94.970708095426.19651E () dfw dfw net>
Content-Transfer-Encoding: 7bit
Content-Description: Card for David M. Andrews

begin:          vcard
fn:             David M. Andrews
n:              Andrews;David M.
org:            <img src="http://home.netscape.com/inserts/images/lighthouse.gif";> Netscape Communications Corp.
adr:            685 E. Middlefield Road;;MS: MV-032;Mountain View;California;94043-4042;USA
email;internet: dandrews () netscape com
title:          Sr .Security Product Manager
tel;work:       415-937-4772
tel;fax:        415-428-4097
tel;home:       800-905-1094
x-mozilla-cpt:  ;0
x-mozilla-html: TRUE
end:            vcard


------=_NextPart_000_01BC8B8B.F9A0A0E0--

Current thread:

Vulnerability in websendmail, (continued)
- Vulnerability in websendmail Razvan Dragomirescu (Jul 04)
- tar-error inter (Jul 05)
- Solution to MacDNS problem (keywords MacDNS DNS Macintosh Dan Brown (Jul 07)
- Vulnerability in websendmail (fwd) Julian Assange (Jul 07)
- Alert: Utility allows any user to become a member of local Admini Aleph One (Jul 08)
- Re: Vulnerability in websendmail Randal Schwartz (Jul 08)
- SGI Security Advisory 19970502-02-PX - xlock Vulnerability SGI Security Coordinator (Jul 08)
- Buffer Overflows exploit for SunOS 4.1.4 Willy TARREAU (Jul 08)
- GetAdmin NT exploit Christopher Klaus (Jul 08)
- Inside GetAdmin Mark Joseph Edwards (Jul 08)
- Fw: Reported Proxy-Netscape Bug Mark Joseph Edwards (Jul 08)