[funsec] This sounds like a security disaster just waiting to happen...

Rich Kulawiec rsk at gsp.org
Wed Apr 29 15:16:10 CDT 2009


On Wed, Apr 29, 2009 at 12:27:41PM -0700, Steve Pirk wrote:
> So, Microsoft has implemented a squid like server as part of their gateway 
> solution for office connections to the net. If done correctly, sould be 
> safe enough, no?

Well...I'm not so sure.  I mean, if we grant the "done correctly" part
for the sake of argument, it sounds to me like a file F requested by
user A on system X may be cached on system Y used by user B, even if
user B does not have the appropriate permissions for file F.  If that's
the case, and it may not be, then a security issue with system Y or
user B could expose file F.

Is this how others are reading it?

---Rsk



More information about the funsec mailing list