mailing list archives
Fw: Reported Proxy-Netscape Bug
From: mark () ntshop net (Mark Joseph Edwards)
Date: Tue, 8 Jul 1997 10:44:56 -0500
This is a multi-part message in MIME format.
From: David Andrews <xxxx () netscape com>
To: MJE <mark () ntsecurity net>; fred () DOTCOM FR
Date: Friday, July 04, 1997 2:25 AM
Subject: Reported Proxy-Netscape Bug
Mark and Fred,
I am sending you this to request that you update the following web
on the Squid Proxy issue ( http://www.ntsecurity.net/security/ns4.htm).
Overall, I believe that the web page incorrectly points to Netscape
as the source of the problem when the proxy is the issue. Please take
look at the below.
* We first heard about the bug through a call from a reporter
yesterday afternoon (7/3 @ 2;30 USA west coast).
* Next, our engineers started looking into the report, and we
attempted to contact you and Squid.
Here's What We Found:
* The problem is a user name/password bug in the Squid Proxy. In
general, users should be concerned authenticating via FTP is in
* Squid takes user name and password, returns it in a URL, stores
in an HTML page and also stores it in its own log file.
* On the client side, the user name and password ends up in the
user's history file.
* Exploiting the bug would require that a hacker break into the
or the client.
* Proxy side. If someone can access the server logs, they can get
the user name and password information for users.
* No problem from the client side. The reported issue exposes the
password to the user and the Proxy server operator only. A
would have to separately attempt to break into the user's
to try and steal the information. User information cannot be
by exploiting reported privacy bug because it has been fixed.
What Netscape Is Doing:
* We are working with Squid to assist them in patching their
David M. Andrews
Sr. Security Product Manager
Netscape Communications Corp.
Content-ID: <Pine.SUN.3.94.970708095426.19651E () dfw dfw net>
Content-Description: Card for David M. Andrews
fn: David M. Andrews
n: Andrews;David M.
org: <img src="http://home.netscape.com/inserts/images/lighthouse.gif"> Netscape Communications Corp.
adr: 685 E. Middlefield Road;;MS: MV-032;Mountain View;California;94043-4042;USA
email;internet: dandrews () netscape com
title: Sr .Security Product Manager
- Vulnerability in websendmail, (continued)