RE: ISA 2000 Cache Security Problem
- From: "Hatton, Chris - SAL" <Chris.Hatton@xxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 24 Jun 2005 08:41:41 +1200
Hi Jim,
That does make sense about the caching, and yes the sites we noticed this on
were non-SSL, thankfully (bit worried if someone saw my bank account due to
heavy caching).
If I get a chance I will see if I can capture some data, and it check out.
Thanks for your help.
Regards,
Chris Hatton
Information Systems Engineer
Safe Air Ltd
Phone: 03 5727793
Mobile: 021 544 570
Email: chris.hatton@xxxxxxxxxxxxx
_____
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, 23 June 2005 5:56 p.m.
Subject: RE: ISA 2000 Cache Security Problem
ISA doesn't have the ability to separate cache content on a "per-user"
basis.
If you set ISA to cache everything in sight, you'll get exactly that.
Plus, it also depends on how the site delivers the content.
Don't assume that the web site actually sets a cookie "properly using a
set-cookie header; many in fact, simply send data that the web app itself
manages.
Try to get captures of this process and you'll be able to see for certain
(assuming it's not SSL).
_____
From: Hatton, Chris - SAL [mailto:Chris.Hatton@xxxxxxxxxxxxx]
Sent: Wednesday, June 22, 2005 9:01 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA 2000 Cache Security Problem
http://www.ISAserver.org
Hi all,
I seem to have found a possible security problem with ISA2000.
Our setup includes a route to an upstream ISA2000 to our head office and the
last route to a DSL Connection.
If we use the default route rule caching options everything works fine,
however if we use the cache option 'any version, of the object' instead of
default option 'A valid version of the object' we find that users can
inadvertently hijack what seems to be another users cookie/web session.
To explain this a bit clearer, if user 1 logs onto his personal webmail or
online trading account and maybe disconnects rather than logging off?.
User 2 logs onto there own personal webmail or trading site using their own
logon details from the same website (even on a separate computer), it will
display users 1 emails and personal information as if you were actually
logged on as user 1, any ability to change and delete settings seems to only
affect your account, but you can read and download anything from user 1.
Anyone explain this?
Regards,
Chris Hatton
Information Systems Engineer
Safe Air Ltd
Phone: 03 5727793
Mobile: 021 544 570
Email: chris.hatton@xxxxxxxxxxxxx
____________________________________________________________________
CAUTION - This message may contain privileged and confidential
information intended only for the use of the addressee named above.
If you are not the intended recipient of this message you are hereby
notified that any use, dissemination, distribution or reproduction
of this message is prohibited. If you have received this message in
error please notify Safe Air Ltd immediately. Any views expressed
in this message are those of the individual sender and may not
necessarily reflect the views of Safe Air.
_____________________________________________________________________
For more information on the Safe Air Group, visit us online
at http://www.safeair.co.nz <http://www.safeair.co.nz>
_____________________________________________________________________
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
____________________________________________________________________
CAUTION - This message may contain privileged and confidential
information intended only for the use of the addressee named above.
If you are not the intended recipient of this message you are hereby
notified that any use, dissemination, distribution or reproduction
of this message is prohibited. If you have received this message in
error please notify Safe Air Ltd immediately. Any views expressed
in this message are those of the individual sender and may not
necessarily reflect the views of Safe Air.
_____________________________________________________________________
For more information on the Safe Air Group, visit us online
at http://www.safeair.co.nz/
_____________________________________________________________________
Other related posts:
