Home page logo
/

bugtraq logo Bugtraq mailing list archives

Fw: Reported Proxy-Netscape Bug
From: mark () ntshop net (Mark Joseph Edwards)
Date: Tue, 8 Jul 1997 10:44:56 -0500


This is a multi-part message in MIME format.

------=_NextPart_000_01BC8B8B.F9A0A0E0
Content-Type: text/plain;
        charset="us-ascii"
Content-Transfer-Encoding: 7bit

From: David Andrews <xxxx () netscape com>
To: MJE <mark () ntsecurity net>; fred () DOTCOM FR
Date: Friday, July 04, 1997 2:25 AM
Subject: Reported Proxy-Netscape Bug

Mark and Fred,

I am sending you this to request that you update the following web
page
on the Squid Proxy issue ( http://www.ntsecurity.net/security/ns4.htm).

Overall, I believe that the web page incorrectly points to Netscape
as the source of the problem when the proxy is the issue.  Please take
a
look at the below.

History:

  * We first heard about the bug through a call from a reporter
    yesterday afternoon (7/3 @ 2;30 USA west coast).
  * Next, our engineers started looking into the report, and we
    attempted to contact you and Squid.

Here's What We Found:

  * The problem is a user name/password bug in the Squid Proxy.  In
    general, users should be concerned authenticating via FTP is in
the
    clear.
  * Squid takes user name and password, returns it in a URL, stores
it
    in an HTML page and also stores it in its own log file.
  * On the client side, the user name and password ends up in the
    user's history file.

The Risk:

  * Exploiting the bug would require that a hacker break into the
Proxy
    or the client.
  * Proxy side.  If someone can access the server logs, they can get
    the user name and password information for users.
  * No problem from the client side.  The reported issue exposes the
    password to the user and the Proxy server operator only.  A
hacker
    would have to separately attempt to break into the user's
computer
    to try and steal the information.  User information cannot be
taken
    by exploiting reported privacy bug because it has been fixed.

What Netscape Is Doing:

  * We are working with Squid to assist them in patching their
product.

Thanks,
David M. Andrews
Sr. Security Product Manager
Netscape Communications Corp.
----------------------



------=_NextPart_000_01BC8B8B.F9A0A0E0
Content-Type: TEXT/X-VCARD;
        charset="us-ascii";
        name="vcard.vcf"
Content-ID: <Pine.SUN.3.94.970708095426.19651E () dfw dfw net>
Content-Transfer-Encoding: 7bit
Content-Description: Card for David M. Andrews

begin:          vcard
fn:             David M. Andrews
n:              Andrews;David M.
org:            <img src="http://home.netscape.com/inserts/images/lighthouse.gif";> Netscape Communications Corp.
adr:            685 E. Middlefield Road;;MS: MV-032;Mountain View;California;94043-4042;USA
email;internet: dandrews () netscape com
title:          Sr .Security Product Manager
tel;work:       415-937-4772
tel;fax:        415-428-4097
tel;home:       800-905-1094
x-mozilla-cpt:  ;0
x-mozilla-html: TRUE
end:            vcard


------=_NextPart_000_01BC8B8B.F9A0A0E0--



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]