Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Intacct.com: Multiple bugs at financial services company
From: Andrew Pimlott <andrew () PIMLOTT NE MEDIAONE NET>
Date: Wed, 6 Sep 2000 15:13:55 -0400

On Wed, Sep 06, 2000 at 07:48:01AM -0400, Chris L. Mason wrote:
I think there's a solution to this "problem" that is far too often
overlooked.  More sites simply need to start using HTTP Basic
Access Authentication.

If you think this is the solution, you don't understand the
cross-site scripting class of vulnerabilities.  Honest.  Read
http://www.apache.org/info/css-security/ a few times.

HTTP authentication is just a limited cookie.  It is basically not
possible for HTTP authentication to be more secure than cookies
(modulo implementation quirks).  It can be less secure, because
there is no standard way to force (more accurately, advise)
expiration.  If you don't understand why this is desirable, see
above.  Hint: this is about protecting the client, not protecting
the server.

4.  One user of a service can email another a URL from within the site, and
      the other user can actually use it, *and* be authenticated properly
      with their own id!

Exactly the problem.  Do you really want
http://bank.example.com/transfer.cgi?amount=1000.00&recipient=apimlott
to "just work"?  If you don't think I can trick you into going to
that URL, I bet you're wrong.

I wish companies would focus on providing services as secure as possible at
their end.  You only control *your* systems, so focus on securing *them*.

Sure, let's all ignore our customers' security.  In fairness,
hotmail.com, intacct.com, and many other sites seem to agree.

Andrew


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]