Bugtraq mailing list archives
Re: Cleartext Password display in NS Communicator
From: oskar () is co za (Oskar Pearson)
Date: Thu, 3 Jul 1997 09:19:24 +0200
Fred Albrecht wrote:
The password is now plainly visible in the URL field : « ftp://user:passwd@host »
Appendix to my previous message: It happens only when connecting over proxy Squid (1.1.10) and it appears also in Squid's access.log.
After trying a number of combinations, it seems that it indeed only works when going through the proxy... Squid 1.1.11 here.
Squid 1.NOVM.10 here
At any rate, Netscape shouldn't display the password and squid shouldn't log what it can clearly identify as « sensitive » information.
Agreed - this is, however, a _setup_ problem with the squid proxy. You have to change squid.conf so that ftpget_options includes either the "-a" or "-A" flag (I prefer "-a") It might be worth putting this in the documentation or the config file's comments... I will contact people about this. Our config file contains: ftpget_options -a -p http://www.is.co.za/tisservices/proxy/ -s .gif -w 25 for the list of possible options run '/usr/local/squid/bin/ftpget -h' These are the relevant options: -a Do not show password in generated URLs -A Do not show login information in generated URLs Oskar
Current thread:
- Cleartext Password display in NS Communicator Fred Albrecht (Jul 02)
- Re: Cleartext Password display in NS Communicator Holger Kanzog (Jul 02)
- Re: Cleartext Password display in NS Communicator Fred Albrecht (Jul 02)
- Re: Cleartext Password display in NS Communicator Oskar Pearson (Jul 03)
- BugTraq Web Archive Aleph One (Jul 02)
- gcc port of IIServerSlayer Andrea Arcangeli (Jul 02)
- Solaris 2.5 syslog startup failure Lauren P. Burka (Jul 02)
- Vulnerability in GlimpseHTTP - more notes Razvan Dragomirescu (Jul 02)
- ircd exploit Aaron Campbell (Jul 02)
- Re: Cleartext Password display in NS Communicator Fred Albrecht (Jul 02)
- Re: Cleartext Password display in NS Communicator Holger Kanzog (Jul 02)