Hi Jim, That does make sense about the caching, and yes the sites we noticed this on were non-SSL, thankfully (bit worried if someone saw my bank account due to heavy caching). If I get a chance I will see if I can capture some data, and it check out. Thanks for your help. Regards, Chris Hatton Information Systems Engineer Safe Air Ltd Phone: 03 5727793 Mobile: 021 544 570 Email: chris.hatton@xxxxxxxxxxxxx _____ From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Thursday, 23 June 2005 5:56 p.m. Subject: RE: ISA 2000 Cache Security Problem ISA doesn't have the ability to separate cache content on a "per-user" basis. If you set ISA to cache everything in sight, you'll get exactly that. Plus, it also depends on how the site delivers the content. Don't assume that the web site actually sets a cookie "properly using a set-cookie header; many in fact, simply send data that the web app itself manages. Try to get captures of this process and you'll be able to see for certain (assuming it's not SSL). _____ From: Hatton, Chris - SAL [mailto:Chris.Hatton@xxxxxxxxxxxxx] Sent: Wednesday, June 22, 2005 9:01 PM To: [ISAserver.org Discussion List] Subject: [isalist] ISA 2000 Cache Security Problem http://www.ISAserver.org Hi all, I seem to have found a possible security problem with ISA2000. Our setup includes a route to an upstream ISA2000 to our head office and the last route to a DSL Connection. If we use the default route rule caching options everything works fine, however if we use the cache option 'any version, of the object' instead of default option 'A valid version of the object' we find that users can inadvertently hijack what seems to be another users cookie/web session. To explain this a bit clearer, if user 1 logs onto his personal webmail or online trading account and maybe disconnects rather than logging off?. User 2 logs onto there own personal webmail or trading site using their own logon details from the same website (even on a separate computer), it will display users 1 emails and personal information as if you were actually logged on as user 1, any ability to change and delete settings seems to only affect your account, but you can read and download anything from user 1. Anyone explain this? Regards, Chris Hatton Information Systems Engineer Safe Air Ltd Phone: 03 5727793 Mobile: 021 544 570 Email: chris.hatton@xxxxxxxxxxxxx ____________________________________________________________________ CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, dissemination, distribution or reproduction of this message is prohibited. If you have received this message in error please notify Safe Air Ltd immediately. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Safe Air. _____________________________________________________________________ For more information on the Safe Air Group, visit us online at http://www.safeair.co.nz <http://www.safeair.co.nz> _____________________________________________________________________ ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ____________________________________________________________________ CAUTION - This message may contain privileged and confidential information intended only for the use of the addressee named above. If you are not the intended recipient of this message you are hereby notified that any use, dissemination, distribution or reproduction of this message is prohibited. If you have received this message in error please notify Safe Air Ltd immediately. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Safe Air. _____________________________________________________________________ For more information on the Safe Air Group, visit us online at http://www.safeair.co.nz/ _____________________________________________________________________