Bugtraq mailing list archives
Re: Intacct.com: Multiple bugs at financial services company
From: Andrew Pimlott <andrew () PIMLOTT NE MEDIAONE NET>
Date: Wed, 6 Sep 2000 15:13:55 -0400
On Wed, Sep 06, 2000 at 07:48:01AM -0400, Chris L. Mason wrote:
I think there's a solution to this "problem" that is far too often overlooked. More sites simply need to start using HTTP Basic Access Authentication.
If you think this is the solution, you don't understand the cross-site scripting class of vulnerabilities. Honest. Read http://www.apache.org/info/css-security/ a few times. HTTP authentication is just a limited cookie. It is basically not possible for HTTP authentication to be more secure than cookies (modulo implementation quirks). It can be less secure, because there is no standard way to force (more accurately, advise) expiration. If you don't understand why this is desirable, see above. Hint: this is about protecting the client, not protecting the server.
4. One user of a service can email another a URL from within the site, and the other user can actually use it, *and* be authenticated properly with their own id!
Exactly the problem. Do you really want http://bank.example.com/transfer.cgi?amount=1000.00&recipient=apimlott to "just work"? If you don't think I can trick you into going to that URL, I bet you're wrong.
I wish companies would focus on providing services as secure as possible at their end. You only control *your* systems, so focus on securing *them*.
Sure, let's all ignore our customers' security. In fairness, hotmail.com, intacct.com, and many other sites seem to agree. Andrew
Current thread:
- Re: Intacct.com: Multiple bugs at financial services company Nagi Prabhu (Sep 05)
- Re: Intacct.com: Multiple bugs at financial services company Jeffrey W. Baker (Sep 05)
- Re: Intacct.com: Multiple bugs at financial services company Chris L. Mason (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Peter W (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Alan DeKok (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Andrew Pimlott (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Aaron Bentley (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Rob Mayoff (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Matt Power (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Chris L. Mason (Sep 06)
- Re: Intacct.com: Multiple bugs at financial services company Ryan Russell (Sep 05)
- <Possible follow-ups>
- Re: Intacct.com: Multiple bugs at financial services company Smith, Eric V. (Sep 07)
- Re: Intacct.com: Multiple bugs at financial services company Jeffrey W. Baker (Sep 05)