RE: ISA 2000 Cache Security Problem
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 23 Jun 2005 18:02:26 -0700
Bet I can make it do it...
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thursday, June 23, 2005 4:00 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2000 Cache Security Problem
http://www.ISAserver.org
I don't think you need to worry about ISA caching SSL content for
forward caching ;)
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: Hatton, Chris - SAL [mailto:Chris.Hatton@xxxxxxxxxxxxx]
Sent: Thursday, June 23, 2005 3:42 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA 2000 Cache Security Problem
http://www.ISAserver.org
Hi Jim,
That does make sense about the caching, and yes the sites we
noticed this on were non-SSL, thankfully (bit worried if someone saw my
bank account due to heavy caching).
If I get a chance I will see if I can capture some data, and it
check out.
Thanks for your help.
Regards,
Chris Hatton
Information Systems Engineer
Safe Air Ltd
Phone: 03 5727793
Mobile: 021 544 570
Email: chris.hatton@xxxxxxxxxxxxx
________________________________
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thursday, 23 June 2005 5:56 p.m.
Subject: RE: ISA 2000 Cache Security Problem
ISA doesn't have the ability to separate cache content on a
"per-user" basis.
If you set ISA to cache everything in sight, you'll get exactly
that.
Plus, it also depends on how the site delivers the content.
Don't assume that the web site actually sets a cookie "properly
using a set-cookie header; many in fact, simply send data that the web
app itself manages.
Try to get captures of this process and you'll be able to see
for certain (assuming it's not SSL).
________________________________
From: Hatton, Chris - SAL [mailto:Chris.Hatton@xxxxxxxxxxxxx]
Sent: Wednesday, June 22, 2005 9:01 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA 2000 Cache Security Problem
http://www.ISAserver.org
Hi all,
I seem to have found a possible security problem with ISA2000.
Our setup includes a route to an upstream ISA2000 to our head
office and the last route to a DSL Connection.
If we use the default route rule caching options everything
works fine, however if we use the cache option 'any version, of the
object' instead of default option 'A valid version of the object' we
find that users can inadvertently hijack what seems to be another users
cookie/web session.
To explain this a bit clearer, if user 1 logs onto his personal
webmail or online trading account and maybe disconnects rather than
logging off?.
User 2 logs onto there own personal webmail or trading site
using their own logon details from the same website (even on a separate
computer), it will display users 1 emails and personal information as if
you were actually logged on as user 1, any ability to change and delete
settings seems to only affect your account, but you can read and
download anything from user 1.
Anyone explain this?
Regards,
Chris Hatton
Information Systems Engineer
Safe Air Ltd
Phone: 03 5727793
Mobile: 021 544 570
Email: chris.hatton@xxxxxxxxxxxxx
____________________________________________________________________
CAUTION - This message may contain privileged and confidential
information intended only for the use of the addressee named
above.
If you are not the intended recipient of this message you are
hereby
notified that any use, dissemination, distribution or
reproduction
of this message is prohibited. If you have received this message
in
error please notify Safe Air Ltd immediately. Any views
expressed
in this message are those of the individual sender and may not
necessarily reflect the views of Safe Air.
_____________________________________________________________________
For more information on the Safe Air Group, visit us online
at http://www.safeair.co.nz
_____________________________________________________________________
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: jim@xxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
____________________________________________________________________
CAUTION - This message may contain privileged and confidential
information intended only for the use of the addressee named
above.
If you are not the intended recipient of this message you are
hereby
notified that any use, dissemination, distribution or
reproduction
of this message is prohibited. If you have received this message
in
error please notify Safe Air Ltd immediately. Any views
expressed
in this message are those of the individual sender and may not
necessarily reflect the views of Safe Air.
_____________________________________________________________________
For more information on the Safe Air Group, visit us online
at http://www.safeair.co.nz
_____________________________________________________________________
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
All mail to and from this domain is GFI-scanned.
Other related posts:
