Security Problem with caching

From: WOO Peter -OH SHRD SRVC <>
Date: Fri, 14 Feb 1997 13:12:54 -0500


The following is a compliant from one of the users in our Corporation.
I notice that some secured html's are generation from cgi-win, cgi-shl ,
etc. Therefore, using only "cache_stoplist cgi-bin ?" may not be too
effective. I wonder how I can stop caching all POST objects instead.

Thanks in advance
Peter Woo
Ontario Hydro


Quirks in either Hydro's implementation of caching or in other sites'
interpretation of how caching works, has allowed the ability for
complete strangers (in Hydro) to view your confidential bank accounts.


Two weeks ago, we were setting up My Yahoo (a customized web page) for
somebody (strictly technical news :). After setting up, we were quite
surprised to get somebody else's web page. Ha, ha we thought, and it
never happened again.

Now I've been informed that somebody was checking their Bank of Montreal
web bank account. This is fairly heavily protected by user name and
password. Lo and Behold, he came up with somebody else's (in Hydro)
bank account! This fellow almost came to blows accusing that person of
using his PC at night! :)

What is happening here? I believe that MBANX is probably being slack
about caching and the use of common ip firewalls, but we are probably
caching something that shouldn't be cached.

Until this is resolved, I recommend that web accounts be only checked at
Received on Fri Feb 14 1997 - 10:45:33 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:34:27 MST