Vulnerability Development mailing list archives
Re: Remembering Passwords in IE
From: 11a () GMX NET (Bluefish)
Date: Fri, 31 Mar 2000 03:46:47 +0200
Actually, as long as it is on the same server this is the correct behaviour according to http-specs. Basicly, its entirely up to the httpd to implement this in a secure way. The workaround used in Apache is to make it impossible to retrieve passwords/hashes in usermodules, the information is never leaked to the user's code. Possibly, an even more strict security measure could be to make it padd the name of the user creating the .htaccess file to AuthName. Anyway, this is only a problem if we deal with insecure httpds used in conjunction with IE. I think the authors of the HTTP RFC assumed stupid coders on the client side and intentionally left the safekeeping of passwords upon the server software (httpd). Which probably is the best, the other way around is *quite* harder to implement. Btw, the last post does not comment upon the AuthName. I am assuming that a service with another name at www.host.com is not treated as the same as the two urls in your example? Not that it would indicate any security problem, but it would be quite uggly coding if it did :) On Wed, 29 Mar 2000, Chris Adams wrote:
It remembers passwords by districts. For instance, say I have subscribed to a members only site, hosted on www.host.com/foo <http://www.host.com/foo> and another one on www.host.com/bar <http://www.host.com/bar> It will remember my login (to either foo or bar) as being a login to www.host.com <http://www.host.com/> Yeah, It's a bug. Chris
..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Re: Remembering Passwords in IE Chris Adams (Mar 29)
- Re: Remembering Passwords in IE Bluefish (Mar 30)