Home page logo

bugtraq logo Bugtraq mailing list archives

Fw: Reported Proxy-Netscape Bug
From: mark () ntshop net (Mark Joseph Edwards)
Date: Tue, 8 Jul 1997 10:44:56 -0500

This is a multi-part message in MIME format.

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit

From: David Andrews <xxxx () netscape com>
To: MJE <mark () ntsecurity net>; fred () DOTCOM FR
Date: Friday, July 04, 1997 2:25 AM
Subject: Reported Proxy-Netscape Bug

Mark and Fred,

I am sending you this to request that you update the following web
on the Squid Proxy issue ( http://www.ntsecurity.net/security/ns4.htm).

Overall, I believe that the web page incorrectly points to Netscape
as the source of the problem when the proxy is the issue.  Please take
look at the below.


  * We first heard about the bug through a call from a reporter
    yesterday afternoon (7/3 @ 2;30 USA west coast).
  * Next, our engineers started looking into the report, and we
    attempted to contact you and Squid.

Here's What We Found:

  * The problem is a user name/password bug in the Squid Proxy.  In
    general, users should be concerned authenticating via FTP is in
  * Squid takes user name and password, returns it in a URL, stores
    in an HTML page and also stores it in its own log file.
  * On the client side, the user name and password ends up in the
    user's history file.

The Risk:

  * Exploiting the bug would require that a hacker break into the
    or the client.
  * Proxy side.  If someone can access the server logs, they can get
    the user name and password information for users.
  * No problem from the client side.  The reported issue exposes the
    password to the user and the Proxy server operator only.  A
    would have to separately attempt to break into the user's
    to try and steal the information.  User information cannot be
    by exploiting reported privacy bug because it has been fixed.

What Netscape Is Doing:

  * We are working with Squid to assist them in patching their

David M. Andrews
Sr. Security Product Manager
Netscape Communications Corp.

Content-Type: TEXT/X-VCARD;
Content-ID: <Pine.SUN.3.94.970708095426.19651E () dfw dfw net>
Content-Transfer-Encoding: 7bit
Content-Description: Card for David M. Andrews

begin:          vcard
fn:             David M. Andrews
n:              Andrews;David M.
org:            <img src="http://home.netscape.com/inserts/images/lighthouse.gif";> Netscape Communications Corp.
adr:            685 E. Middlefield Road;;MS: MV-032;Mountain View;California;94043-4042;USA
email;internet: dandrews () netscape com
title:          Sr .Security Product Manager
tel;work:       415-937-4772
tel;fax:        415-428-4097
tel;home:       800-905-1094
x-mozilla-cpt:  ;0
x-mozilla-html: TRUE
end:            vcard


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]