Bugtraq mailing list archives

Re: IE and cached passwords

From: paulle () EXCHANGE MICROSOFT COM (Exchange)
Date: Fri, 27 Aug 1999 19:04:53 -0700


The server gets to say, in the WWW-Authenticate challenge header field, for
which "realm" it wants credentials (name+password). If both www.company.com
and www.company.com:81 send the same realm, then the same password will
continue to work.

This behavior is as spec'd for HTTP Authentication, RFC 2617.

So, it is not a security flaw.

-----Original Message-----
From: Justin King [mailto:JKing () GFPGROUP COM]
Sent: Thursday, August 19, 1999 8:58 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: IE and cached passwords

In Internet Explorer (v5/nt,v4/nt,v5/win98), when I go to a
website (say,
www.company.com), and it requests authorization (via basic
authentication),
and I enter it, I am able to browse the rest of the site
without reentering
my password on each page. This is fine. However, if I go to
another website
on the same machine, but a different port (say,
www.company.com:81), my
authentication information is still sent.

This seem to me to be a security flaw with the browser. The
potential for
abuse doesn't really seem very high, but I do think it's there.

Current thread:

Re: IE and cached passwords Exchange (Aug 27)
- Re: IE and cached passwords Peter W (Aug 28)
- yet another article about stealth modules in linux. riq (Aug 28)
- Re: IE and cached passwords Aleph One (Aug 28)