ISA 2000 Cache Security Problem
- From: "Hatton, Chris - SAL" <Chris.Hatton@xxxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Thu, 23 Jun 2005 16:00:41 +1200
Hi all,
I seem to have found a possible security problem with ISA2000.
Our setup includes a route to an upstream ISA2000 to our head office and the
last route to a DSL Connection.
If we use the default route rule caching options everything works fine,
however if we use the cache option 'any version, of the object' instead of
default option 'A valid version of the object' we find that users can
inadvertently hijack what seems to be another users cookie/web session.
To explain this a bit clearer, if user 1 logs onto his personal webmail or
online trading account and maybe disconnects rather than logging off?.
User 2 logs onto there own personal webmail or trading site using their own
logon details from the same website (even on a separate computer), it will
display users 1 emails and personal information as if you were actually
logged on as user 1, any ability to change and delete settings seems to only
affect your account, but you can read and download anything from user 1.
Anyone explain this?
Regards,
Chris Hatton
Information Systems Engineer
Safe Air Ltd
Phone: 03 5727793
Mobile: 021 544 570
Email: chris.hatton@xxxxxxxxxxxxx
____________________________________________________________________
CAUTION - This message may contain privileged and confidential
information intended only for the use of the addressee named above.
If you are not the intended recipient of this message you are hereby
notified that any use, dissemination, distribution or reproduction
of this message is prohibited. If you have received this message in
error please notify Safe Air Ltd immediately. Any views expressed
in this message are those of the individual sender and may not
necessarily reflect the views of Safe Air.
_____________________________________________________________________
For more information on the Safe Air Group, visit us online
at http://www.safeair.co.nz/
_____________________________________________________________________
Other related posts:
