Re: This sounds like a security disaster just waiting to happen...

[Steve Pirk <orion () pirk com>]

On Wed, 29 Apr 2009, Rich Kulawiec wrote:

> On Wed, Apr 29, 2009 at 12:27:41PM -0700, Steve Pirk wrote:
... embarassing comments deleted ...
> > safe enough, no?
>
> Well...I'm not so sure.  I mean, if we grant the "done correctly" part
> for the sake of argument, it sounds to me like a file F requested by
> user A on system X may be cached on system Y used by user B, even if
> user B does not have the appropriate permissions for file F.  If that's
> the case, and it may not be, then a security issue with system Y or
> user B could expose file F.
>
> Is this how others are reading it?

After I got up off the floor laughing at the who's on first beauty of the 
above logic chart, it hit me that this probably would not be limited to 
"internet" cached data, but possibly all internal web data as Rich says. 
Right away I thought of ACL content (auth/auth) that is web based within a 
company tagged "your eyes only" that could be cached.

Quick, how many apps do _not_ use windows domain based auth/auth to 
determine who is allowed to see content. Ick. This would be bad where I 
work.

"read the entire blurb steve..."

-steve
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.