Vulnerability Note VU#829876

Some versions of Outlook Web Access may use the Cache-Control: no-cache HTTP 1.1 directive.

From RFC 2616:

If the no-cache directive does not specify a field-name, then a cache MUST NOT use the response to satisfy a subsequent request without successful revalidation with the origin server. This allows an origin server to prevent caching even by caches that have been configured to return stale responses to client requests.
If the no-cache directive does specify one or more field-names, then a cache MAY use the response to satisfy a subsequent request, subject to any other restrictions on caching. However, the specified field-name(s) MUST NOT be sent in the response to a subsequent request without successful revalidation with the origin server. This allows an origin server to prevent the re-use of certain header fields in a response, while still allowing caching of the rest of the response.

Sensitive information that is viewed during an Outlook Web Access session may be stored to disk.

We are unware of a solution for this problem.

Clear browser caches

Clearing browser caches frequently may mitigate this vulnerability by deleting data that was inadvertantly cached.

• In Internet Explorer 7, click on Tools, Internet Options, Delete (under the Browsing history section), then Delete all.
• For Firefox 2 and 3 see the Firefox Options window support page for information on how to automatically remove cached browser files.
• In Safari 3.0, click Safari then Reset Safari.
• In recent of versions of Opera, go to Tools, Preferences, Advanced, History and set the cache to Empty on exit.
• For recent versions of the Konqueror browser, use the KControl module called Cache, then click on the Clear cache button.