lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <6.0.0.22.1.20031205140914.032ab470@203.167.127.4>
Date: Fri, 05 Dec 2003 14:15:44 +0800
From: tito <mochafrap@....ph>
To: bugtraq@...urityfocus.com
Cc: firewalls@...urityfocus.com
Subject: netscreen flaw?

Hi!

I have 5 NS500 boxes here with these details:

  Hardware Version: 4110(0)
   Software Version:
  4.0.3r4.0 (Firewall+VPN)

using netscreen's web UI on management,
with the Idle timeout set to 15 minutes or if I
want to logout, Internet Explorer would prompt me

"The Web page you are viewing is trying to close the window.
Do you want to close this window?"

http://192.168.20.250/close.html*0

If I choose no, and go back to the navigator bar to re-enter the
Netscreen management IP address

http://192.168.20.250

will lead you directly to the home page

http://192.168.20.252/top.html*6,1,1

I don't have to enter any login credentials
to be able to to peak or tweak the firewall...

this shouldn't be the case (even if you tell me
to logout then close the window at all times,
even if I disable cookies)(can't browse the web UI
with my Internet Explorer security settings set to high.)

as the idle timeout must always require me to re-enter
my username/password after n minutes of inactivity.

what do you think?

thanks,

tito basa
makati, philippines


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.545 / Virus Database: 339 - Release Date: 11/27/2003

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ