--Boundary_(ID_EodshfsBpXqEqPDPpwHYSQ)
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7bit
>> From: David Andrews <xxxx@netscape.com>
>> To: MJE <mark@ntsecurity.net>; fred@DOTCOM.FR
>> Date: Friday, July 04, 1997 2:25 AM
>> Subject: Reported Proxy-Netscape Bug
>>
>> >Mark and Fred,
>> >
>> >I am sending you this to request that you update the following web
page
>> >on the Squid Proxy issue ( http://www.ntsecurity.net/security/ns4.htm).
>> >Overall, I believe that the web page incorrectly points to Netscape
>> >as the source of the problem when the proxy is the issue. Please take
a
>> >look at the below.
>> >
>> >History:
>> >
>> > * We first heard about the bug through a call from a reporter
>> > yesterday afternoon (7/3 @ 2;30 USA west coast).
>> > * Next, our engineers started looking into the report, and we
>> > attempted to contact you and Squid.
>> >
>> >Here's What We Found:
>> >
>> > * The problem is a user name/password bug in the Squid Proxy. In
>> > general, users should be concerned authenticating via FTP is in
the
>> > clear.
>> > * Squid takes user name and password, returns it in a URL, stores
it
>> > in an HTML page and also stores it in its own log file.
>> > * On the client side, the user name and password ends up in the
>> > user's history file.
>> >
>> >The Risk:
>> >
>> > * Exploiting the bug would require that a hacker break into the
Proxy
>> > or the client.
>> > * Proxy side. If someone can access the server logs, they can get
>> > the user name and password information for users.
>> > * No problem from the client side. The reported issue exposes the
>> > password to the user and the Proxy server operator only. A
hacker
>> > would have to separately attempt to break into the user's
computer
>> > to try and steal the information. User information cannot be
taken
>> > by exploiting reported privacy bug because it has been fixed.
>> >
>> >What Netscape Is Doing:
>> >
>> > * We are working with Squid to assist them in patching their
product.
>> >
>> >Thanks,
>> >David M. Andrews
>> >Sr. Security Product Manager
>> >Netscape Communications Corp.
>> >----------------------
>>
--Boundary_(ID_EodshfsBpXqEqPDPpwHYSQ)
Content-id: <Pine.SUN.3.94.970708095426.19651E@dfw.dfw.net>
Content-type: TEXT/X-VCARD; name=vcard.vcf; charset=us-ascii
Content-description: Card for David M. Andrews
Content-disposition: ATTACHMENT; FILENAME=vcard.vcf
Content-transfer-encoding: 7bit
begin: vcard
fn: David M. Andrews
n: Andrews;David M.
org: <img src="http://home.netscape.com/inserts/images/lighthouse.gif"> Netscape Communications Corp.
adr: 685 E. Middlefield Road;;MS: MV-032;Mountain View;California;94043-4042;USA
email;internet: dandrews@netscape.com
title: Sr .Security Product Manager
tel;work: 415-937-4772
tel;fax: 415-428-4097
tel;home: 800-905-1094
x-mozilla-cpt: ;0
x-mozilla-html: TRUE
end: vcard
--Boundary_(ID_EodshfsBpXqEqPDPpwHYSQ)--