LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives
Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Re: Possible misunderstanding of security problem regarding wa
lsvadmin <[log in to unmask]>
Wed, 22 Dec 1999 08:58:38 +1100
text/plain (110 lines)
Roger,

thanks again for persisting with trying to help me sort out why this is
happening.


LSTSERV-L list:

When I ask anyone who knows about cgi they all say it is because that
particular bit of data (userid/passwd) is handled by a GET, this drops it
into the url and hands it as arguements to wa, leaving it able to be
bookmarked.

It is just a means of gathering information. Different places use POST
and dynamic html forms to pass the information without it showing up in
the url. Others use GET and it does show up. Others use cookies
(which appear to me to be much maligned as a security problem, their
problems are like the majority of those with cgi, lack of thought when
programming them to start with).

I still dont think others on the list understand what the actual security
problem is, regardless of whether this web interface is secure enough
for our needs here or not. The real security problem is that I can
bookmark pages inside the product that I SHOULDNT be able to. I was
told I shouldnt be able to on this list by people who I presumed would
not give me faulty information so I took it as advice.

Should the program let me bookmark these pages or not? If it doesnt
care one way or the other, then the message I received back was
misinforming at best. In which case, why does this list exist if the
advice you receive is not based on fact?

From this simple misinformation the rest has resulted. It IS a severe
security risk in the product if I can bookmark pages that the product
shouldnt allow me to bookmark. I made a mistake in sending the reply
back to the list instead of to support. I have already apologised to LSoft
for that, through a mail to Ben Parker. That reply though is not incorrect
in any way. It is based on the information provided to me that the
product is allowing me to bookmark pages that the product shouldnt be
allowing me to.

I'm honestly tired of the whole thing. The product doesnt meet OUR
specific security needs so it will be used by administration staff only
until we secure the server further down, and then it will only be used by
list owners and not available to subscribers. And this is because it uses
the GET command instead of any of the other methods, and those urls
can be bookmarked, and those bookmarks used by anyone while they
remain valid, and the password for the list owner can be gained by
running that bookmark through a passwd cracker, providing the person
with more permanent access. There is no way we can ensure that our
list owners and subscribers will not bookmark these pages.

Whether the product meets or doesnt meet any other listserv
administrators security standards is up to each of them to decide, and I
would assume that this would be deemed to pose no problem for most.

I hope this doesnt sound like going off, the last thing I need right now is
more knee-jerk defensive reactions from anyone (including myself), but I
have begun to feel that it's like talking to a brick wall because I cant get
past those defensive reactions brought on by questioning the security of
the product and mistakenly posting that questioning to the list instead
of to support.

I'm going to put the question to the list one last time:

Does the product allow me to bookmark pages that THE PRODUCT
shouldn't allow me to bookmark?



[log in to unmask]




On 20 Dec 99, at 23:41, Roger Fajman wrote:

> > I have even had an admin here copy and paste my bookmark url string
> > and use it from their PC to access the page I bookmarked.
>
> As Eric said, this will work if you do it within the 10-minute timeout,
> unless you use the option he mentioned to restrict the tickets to a
> specific IP address.
>
> > There seems to be a difference in how different browsers handle it too.
> > Netscape will require login if you clear the cache. IE even after clearing
> > still allowed me to use that URL for 3 - 4 days before killing it off. Opera
> > still allows me in now 5 days after saving the url as a bookmark.
>
> Now here's a hint, I think.  Ther are browser settings that control
> whether the browser checks the website or just uses a cached copy.  In
> Netscape there's a choice of checking the cached copy against the web
> site (1) once per session, (2) every time, or (3) never.  I have mine
> set to every time, but I don't think that's the default.  If you have
> it set to once per session and never restart the browser, it's never
> going to go back to the LISTSERV website, but will show you the page
> from the cache.  But you won't actually be able to update anything
> without logging in, as then it will have to go to the web server.
>
> This setting is under Edit, Preferences, Advanced, Cache (you have to
> expand Advanced to see it) in Netscape.
>
> > I will give it a go with disabling cookies. It is just that this seems
> > logistically almost impossible to ensure that all our listowners machines
> > also have cookies disabled. Or that anyone who gets hold of that
> > bookmark file or the string will have a PC with their cookies disabled.
>
> Yes, I just suggested it as a test.
>
ATOM RSS1 RSS2
COMMUNITY.EMAILOGY.COM