Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: Bigfoot/Bellsouth Webmail bug

Re: Bigfoot/Bellsouth Webmail bug

From: Madere, Russel <rmadere_at_STEI.COM>
Date: Sat, 9 Jan 1999 17:32:20 -0600

Yes. I logged out immediately loaded the cached page and just hit the Login
button again and got right in. On another machine, I logged in and logged
out. I let the browser site for 1 hour and repeated the previous
experiment, I repeated with 2 and 3 hour intervals as well. Each time, I
was able to simply hit the Login button and log in.

Russel

                -----Original Message-----
                From: James Nerlinger, Jr. [mailto:jnj_at_AIS-BBS.ORG]
                Sent: Friday, January 08, 1999 11:58 AM
                To: BUGTRAQ_at_NETSPACE.ORG
                Subject: Re: Bigfoot/Bellsouth Webmail bug

>I seem to have found another "bug" with the
Bigfoot/Bellsouth Webmail.
>Users can log back into the service from cached pages.
This is a huge
>security hole, especially for users access these services
from public
>terminals. Subsequent users can just use the back button
to go back in the
>previous session history and log in as the previous user.

                This is not uncommon in web based email & conferencing
packages, however,
                most are authored to only allow this for a certain amount of
time and to
                disregard the attempt if the user logged out properly. Out
of curiosity,
                did you test this with the two variables of time and a
logout?

                James
Received on Jan 10 1999

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos