RE: ISA 2000 Cache Security Problem
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 22 Jun 2005 22:55:33 -0700
ISA doesn't have the ability to separate cache content on a "per-user"
basis.
If you set ISA to cache everything in sight, you'll get exactly that.
Plus, it also depends on how the site delivers the content.
Don't assume that the web site actually sets a cookie "properly using a
set-cookie header; many in fact, simply send data that the web app
itself manages.
Try to get captures of this process and you'll be able to see for
certain (assuming it's not SSL).
________________________________
From: Hatton, Chris - SAL [mailto:Chris.Hatton@xxxxxxxxxxxxx]
Sent: Wednesday, June 22, 2005 9:01 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA 2000 Cache Security Problem
http://www.ISAserver.org
Hi all,
I seem to have found a possible security problem with ISA2000.
Our setup includes a route to an upstream ISA2000 to our head office and
the last route to a DSL Connection.
If we use the default route rule caching options everything works fine,
however if we use the cache option 'any version, of the object' instead
of default option 'A valid version of the object' we find that users can
inadvertently hijack what seems to be another users cookie/web session.
To explain this a bit clearer, if user 1 logs onto his personal webmail
or online trading account and maybe disconnects rather than logging
off?.
User 2 logs onto there own personal webmail or trading site using their
own logon details from the same website (even on a separate computer),
it will display users 1 emails and personal information as if you were
actually logged on as user 1, any ability to change and delete settings
seems to only affect your account, but you can read and download
anything from user 1.
Anyone explain this?
Regards,
Chris Hatton
Information Systems Engineer
Safe Air Ltd
Phone: 03 5727793
Mobile: 021 544 570
Email: chris.hatton@xxxxxxxxxxxxx
____________________________________________________________________
CAUTION - This message may contain privileged and confidential
information intended only for the use of the addressee named above.
If you are not the intended recipient of this message you are hereby
notified that any use, dissemination, distribution or reproduction
of this message is prohibited. If you have received this message in
error please notify Safe Air Ltd immediately. Any views expressed
in this message are those of the individual sender and may not
necessarily reflect the views of Safe Air.
_____________________________________________________________________
For more information on the Safe Air Group, visit us online
at http://www.safeair.co.nz
_____________________________________________________________________
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
