RE: FTP "Network Place" with saved password will reveal cached pa ssword

["jones, gerald" <jones_gerald () emc com>]

I just tried this using a Windows 2000 Professional as a client and a
Windows 2000 Server running IIS 5.0. TFor an FTP Network Place, the password
was displayed in the address bar after adding the first "../", whether the
password was saved or not. The ftp (IE) window changed to "This page cannot
be displayed", as expected (not allowed to go above ftp root).

Gerry Jones


-----Original Message-----
From: Aaron Heck [mailto:AHeck () ouc bc ca]
Sent: Friday, December 14, 2001 1:46 PM
To: bugtraq () securityfocus com
Subject: FTP "Network Place" with saved password will reveal cached
password


Summary:
When a "Network Place" has been added to "My Network Places" with a
saved username and password it is possible to get Explorer to display
the password in cleartext format by altering the path in the address
bar.

<snip>
 
Aaron Heck
Instructional Microcomputer Resource Coordinator
Okanagan University College
aheck () ouc bc ca