Re: Remembering Passwords in IE

[11a () GMX NET (Bluefish)]

sounds like this could be exploited if you could fool someone to use your
site and you sniff passwords (or even simpler, runs a modified webserver
which stores the passwords). The security concerns regarding this
and related functions were pointed out when later IE versions were
introduced.

Another vulnerability which was discussed in bugtraq a long while ago is
related to how the http password authentication work out. Lets say
www.test.com has two users which pages are frequently visited by the same
people. Alice is a nice girl who has password protection on her site so
that Malory shouldn't be able to browse her site. But if malroy puts
his own httpd authenticion in http://www.test.com/~malroy/ with the same
values as Alice' (e.g. "Alice Homepage"), all users will send their login
and password to Malroy.

Now the good thing is that the bug is made theoretical by most httpds, as
an example the apache httpd never lets a script know what value a http
password has. So if anyone is interrested in coding httpds, keep in mind
that allowing users to code their own password authentication modules is a
*really* bad idea.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu  
    eleventh alliance development & security team       

On Tue, 28 Mar 2000, Justin Lintz wrote:

> I have IE enabled to remember my passwords for website logins and such.  I
> am subscribed to two separate message boards with the same username but a
> different password.  If I login under Site A and then try to log into Site B
> it remembers Site A’s password and not Site B’s password for when I logged
> in last.  Would anyone consider this a bug of some sort.  Should IE not
> remember the name and password by the webpage not just the username?  Anyone
> else have any similar experiences like this?
>
>        Justin Lintz
> · jlintz () optonline net ·