From: Debra Bartling (bartling@peer.berkeley.edu)
Date: Fri Aug 24 2001 - 10:14:17 PDT
I'm glad to hear others are concerned about ezSurePay! When it was
announced, I immediately went to take a look and did the survey. When I hit
the "Finish" button, I got a message back:
"Directory Listing Denied
This Virtual Directory does not allow contents to be listed."
And I flamed ezPayroll@uclink big time! The application did not even work
correctly for me!
I agree with Mike Friedman's excellent list of issues: Using the
authentication service is not enough to secure an application. If you look
at the application (.asp) and the source, you can assume it's running on a
Windows server, most likely running IIS, authored in Front Page (so are we
running Front Page server extensions?), many interesting areas a hacker
might explore! I certainly hope my social security number and bank account
number are not sitting on a Windows box in a .edu domain and that the XXXs
on the form are really missing data, not just masking it for display!
Furthermore, I connected initially using my old Netscape browser with
cookies disabled and got nothing but a blank screen. It's possible the
errors I saw were due to the browser and the version. But if the developers
did not even consider questions like: "What if cookies are disabled? What
if the browser is not the latest version of Internet Explorer?" ... how can
I trust that they considered all the "What ifs?" related to running a
secure server?
The security requirements for a web application that risks exposing
sensitive data have to be higher than the average department web site, and
if the UCB security group does not have oversight and auditing functions
here, I think they should.
I would also like the ability to opt out of applications like this.
Debra Bartling
Programmer/Analyst
National Information Service for Earthquake Engineering
University of California, Berkeley
Phone: 510-231-9558
http://nisee.berkeley.edu/
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the Micronet Web site at <http://wss.berkeley.edu/micronet/>.
This archive was generated by hypermail 2b29 : Fri Aug 24 2001 - 10:12:20 PDT