LISTSERV - LSTSRV-L Archives - COMMUNITY.EMAILOGY.COM

LSTSRV-L Archives

LISTSERV Site Administrators' Forum

LSTSRV-L

	LISTSERV Archives
	LSTSRV-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Topic:	[<< First] [< Prev] [Next >] [Last >>]

Re: Possible misunderstanding of security problem regarding wa

lsvadmin <[log in to unmask]>

Tue, 21 Dec 1999 12:50:06 +1100

text/plain (53 lines)

On 20 Dec 99, at 19:05, Roger Fajman wrote:
> > On first voicing the problem I was told that I was bookmarking pages I
> > shouldnt. The concern expressed by everyone that I have talked to has
> > been that if I am bookmarking pages I shouldnt then that constitutes a
> > security problem in the product.
> >
> > That is:-
> > the ability to bookmark a page that SHOULDN'T be bookmarked is the
> > security problem
>
> Maybe so, but it's not a problem in LISTSERV.  It's the browser that
> does bookmarking.  I've never heard of a way to designate a URL as
> not allowed to be bookmarked.
>
Yet I was told I was bookmarking pages I shouldnt be. To me this
means that if I shouldnt be doing it, I shouldnt be able to do it as it is a
basic function of most browsers to allow the user to bookmark often
visited pages. URLs dont have to contain the userid and password, they
dont have to contain valid arguements to a cgi-script. This can be done
differently.

In the time I can spend in researching I have been able to find out that it
may be whether GET or POST is used for that login that decides
whether the URL displays the userid and login as arguements to wa.
Using Get generally drops that info in, while using Post requires a bit
more programming, but doesnt display that information. I have to check
it out further yet to be sure this is correct.

I dont know if this should be classed as a Listserv problem either. There
are no warnings about what might happen here if you do bookmark a
page once you are past that authentication area, and no warnings
saying you shouldnt bookmark any pages past that authentication area
at all. The only mention I have been able to find in the Site Managers
manual was on page 27:
"Please note that when removing a list from the WWW archive interface,
you MUST delete the list's directory under 'archives'. Otherwise
someone with a bookmarked URL may still be able to access some of
the archives via the web."

Other mention is made in the List Owner's Manual but is regarding only
the action of saving your password as a cookie (pg 112) and a little
further in a note (pg114). This covers only saving it as a cookie and
does not mention that if you dont save it as a cookie and bookmark
pages inside of there you are effectively saving your passwd for differing
amounts of time and bypassing that login screen for differing amount of
times (seems to be browser dependant and may be server dependant
but I am not sure about  the server side).

sorry, but if it isnt covered, how can anyone know they are not
supposed to do it, and that is a documentation problem.

[log in to unmask]

ATOM RSS1 RSS2

COMMUNITY.EMAILOGY.COM