Vulnerability Development mailing list archives

Re: R: Re: ICQ >= 99* + CC Data

From: camp () CDCLA COM (C. C. Camp)
Date: Thu, 20 Jan 2000 06:49:52 -0800


The feature is known as "Autocomplete" and can be turned off at the
individual field or entire form level. e.g. at the form level:

<FORM NAME=logon AUTOCOMPLETE="off" METHOD=POST onSubmit="......

see the Microsoft write-up on this "feature" at

http://msdn.microsoft.com/workshop/author/forms/autocomplete_ovr.asp

Note- the use of generic field names in forms is incompatible with Autocomplete.
e.g. if a developer names his fields arg1, arg2, .. argn, and their logical content
differs from page to page, then the user will be confused by IE5's behavior.
A field named "arg1" which has a stock symbol on one page but is used for
a part number on another page will be "completed" by an illogical value.

Date sent:              Wed, 19 Jan 2000 13:32:52 +0100
Send reply to:          Raistlin <raist () ctrade it>
From:                   Raistlin <raist () ctrade it>
Subject:                R:      Re: ICQ >= 99* + CC Data
Originally to:          VULN-DEV () SECURITYFOCUS COM
To:                     VULN-DEV () SECURITYFOCUS COM

I read an article about that last night.  Apparently, with the feature
turned on IE just looks at the field name in the HTML code, and throws
up a list of choices that you've previously used for the same field
name elsewhere.


Anyone knows if there is some kind of attribute to tell IntelliNonSense not
to do this even if enabled ?

I mean, something like
<INPUT TYPE="password" NAME="themostimportantpasswordinmylife"
INTELLISENSE="vade_retro_satana">

which tells IntelliSense to stay quiet and not to log the entry ?

In my opinion, such a thing (if applied) would make the security problem a
little easier to manage, since trusted, big, secure sites would activate
this kind of protection on all their password & credit card entries,
effectively making only useless data stay in IntelliSense database.

Obviously, the best would be if Intellisense needed to be activated, not
deactivated, as the simplest rules of security ask.

Raist

Current thread:

Re: ICQ >= 99* + CC Data Ken Williams (Jan 17)
- <Possible follow-ups>
- Re: ICQ >= 99* + CC Data Sachs, Marcus (Jan 17)
- Re: ICQ >= 99* + CC Data Jon Hadley (Jan 17)
  - Re: ICQ >= 99* + CC Data Blue Boar (Jan 17)
    - Re: ICQ >= 99* + CC Data Mikael Olsson (Jan 18)
    - R: Re: ICQ >= 99* + CC Data Raistlin (Jan 19)
    - Re: ICQ >= 99* + CC Data Taavet Hinrikus (Jan 20)
    - Re: R: Re: ICQ >= 99* + CC Data C. C. Camp (Jan 20)
    - Overflows due to unexpected casts Mixter (Jan 20)
- Re: ICQ >= 99* + CC Data Jon Hadley (Jan 18)
- Re: ICQ >= 99* + CC Data Flynn, Harold M. III (Jan 18)