> > SNF 7.2 has a very serious flaw!!! I found it today. The
> > flaw is that any
> > user who have access to the PC that has been used by system
> > administrator
> > can log in into the firewall without giving a password.
> >
> > Try this from any PC in your network. I use a windows 95.
> >
> > 1. Go to https://192.168.0.1:8443 and login. ( the ip of
> > firewall depend
> > on your setting )
> > 2. Logout from the webpage
> > 3. type back https://192.168.0.1:8443 the page will come
> > out and press
> > login button.. Voila.. you can access the firewall
> > administartion page
> > without password. What a very secured firewall!
>
> simply close the browser when you're done with the configurations
We use MS Exchange as our mail server, and there is a
web-based client built-in that I use frequently. It
displays this warning on logout:
--
To complete the log off process and prevent other users
from opening your mailbox, you must close your browser.
To log on again, click here.
--
Now, I haven't been able to click on login and get in
without a password, but I can hit the browser's Back
button and see my Inbox. If I try and read a message or
access anything else, it prompts me to log in again.
Now, to tie this back into the SNF product..
Okay, so you can just hit login and get in without a
password. Can you actually make changes to the setup?
If you can make changes, then it appears as though
there's a security vulnerability that needs to be
resolved.
If you can't make changes, then it looks like you're in
a similar situation as I was with Exchange; your browser
has cached that information/page/cookie so you can still
see it, but your authentication has been lost, so the
system isn't vulnerable to exploitation. The fact that
you can still view the system configuration is of some
concern, but it appears that that is a limitation of the
browser, as I have the same problem above, being able to
view the contents of my Inbox. I think that Mandrake
instituting a similar warning on logout about closing the
browser would "solve" the problem, in this case.
Don Head
SAIR LCA, CIW-P, i-Net+, Network+, A+
Systems Administrator [ [EMAIL PROTECTED] ]
Web Designer [ 1 314 650-4056 ]
[ AIM - Don Wave ] [ ICQ - 18804935 ] [ Yahoo - Don_Wave ]
