On Wed, 29 Apr 2009, Rich Kulawiec wrote: > On Wed, Apr 29, 2009 at 12:27:41PM -0700, Steve Pirk wrote: ... embarassing comments deleted ... >> safe enough, no? > > Well...I'm not so sure. I mean, if we grant the "done correctly" part > for the sake of argument, it sounds to me like a file F requested by > user A on system X may be cached on system Y used by user B, even if > user B does not have the appropriate permissions for file F. If that's > the case, and it may not be, then a security issue with system Y or > user B could expose file F. > > Is this how others are reading it? >
After I got up off the floor laughing at the who's on first beauty of the above logic chart, it hit me that this probably would not be limited to "internet" cached data, but possibly all internal web data as Rich says. Right away I thought of ACL content (auth/auth) that is web based within a company tagged "your eyes only" that could be cached. Quick, how many apps do _not_ use windows domain based auth/auth to determine who is allowed to see content. Ick. This would be bad where I work. "read the entire blurb steve..." -steve _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
