Vulnerability Development mailing list archives
Re: Remembering Passwords in IE
From: 11a () GMX NET (Bluefish)
Date: Thu, 30 Mar 2000 13:29:36 +0200
sounds like this could be exploited if you could fool someone to use your site and you sniff passwords (or even simpler, runs a modified webserver which stores the passwords). The security concerns regarding this and related functions were pointed out when later IE versions were introduced. Another vulnerability which was discussed in bugtraq a long while ago is related to how the http password authentication work out. Lets say www.test.com has two users which pages are frequently visited by the same people. Alice is a nice girl who has password protection on her site so that Malory shouldn't be able to browse her site. But if malroy puts his own httpd authenticion in http://www.test.com/~malroy/ with the same values as Alice' (e.g. "Alice Homepage"), all users will send their login and password to Malroy. Now the good thing is that the bug is made theoretical by most httpds, as an example the apache httpd never lets a script know what value a http password has. So if anyone is interrested in coding httpds, keep in mind that allowing users to code their own password authentication modules is a *really* bad idea. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team On Tue, 28 Mar 2000, Justin Lintz wrote:
I have IE enabled to remember my passwords for website logins and such. I am subscribed to two separate message boards with the same username but a different password. If I login under Site A and then try to log into Site B it remembers Site As password and not Site Bs password for when I logged in last. Would anyone consider this a bug of some sort. Should IE not remember the name and password by the webpage not just the username? Anyone else have any similar experiences like this? Justin Lintz · jlintz () optonline net ·
Current thread:
- Re: Crashing Win9x with smbclient - But NT & W2K? Matthew King (Mar 26)
- Re: Crashing Win9x with smbclient - But NT & W2K? Taneli Huuskonen (Mar 27)
- Re: Crashing Win9x with smbclient - But NT & W2K? Bluefish (Mar 28)
- Remembering Passwords in IE Justin Lintz (Mar 28)
- Re: Remembering Passwords in IE Bluefish (Mar 30)
- <Possible follow-ups>
- Re: Crashing Win9x with smbclient - But NT & W2K? Luke Dudney (Mar 27)