WebApp Sec mailing list archives

RE: unable to access web site embeds username & password

From: Noah Gray <NGray () worldrelief net>
Date: Tue, 22 Jun 2004 12:51:33 -0400

By 'Wide' I mean the vast majority of external users who would never change
their registry to access a site.

"Not susceptible to attack" is a an indefensible statement. However, refer
to Kerberos for an implementation of authentication that can occur over an
untrusted medium. Our specific system is not public. I'm simply saying it's
possible, the point being that this IE limitation offered the organization
the impetus to improve.

Regards,

Noah Gray

-----Original Message-----
From: Michael Silk
To: Noah Gray; webappsec () securityfocus com
Sent: 6/22/04 12:41 AM
Subject: RE: unable to access web site embeds username & password

Noah,

        By wide audience do you mean *unknown* audience ?

        I.e. you can simply set the site (your site) as a trusted site
and it (IE)
        will automatically pass the login information via NTLM ... ?

        Also, I'm interested ... what system did you use to provide some
security
        token that is not susceptible to attack (at least attacks which
SSL protects
        agains) ?

-- Michael

-----Original Message-----
From: Noah Gray [mailto:NGray () worldrelief net]
Sent: Tuesday, 22 June 2004 12:34 PM
To: webappsec () securityfocus com
Subject: RE: unable to access web site embeds username & password


I recently worked with an organization that had used this in some
specific
cases for integration purposes. It was a CMS, complete with some
inflexible
ISAPI filters that had mandaded the use of the embedded basic
authentication, of course over SSL.

Just to help you resign yourself to your new fate, we searched high and
low,
and found NO way to support this functionality in IE browsers for a wide
audience. In the end, we worked with each and every party to switch to a
token-based system in the querystring.

In the end, it was a great chance to rethink our how our 3rd party
authentication worked. We were able to implement a system that could be
securely implemented without SSL, which is unheard of in the
URL-embedded
basic system.

Believe me when I say that this is a must-upgrade situation. You have to
use
some other way to authenticate these intranet users in IE.

Regards,

Noah Gray

-----Original Message-----
From: Ivo Mencke [mailto:imencke () servecentric com]
Sent: Monday, June 21, 2004 11:03 AM
To: bysoo1 () optusnet com au
Cc: webappsec () securityfocus com
Subject: Re: unable to access web site embeds username & password


A security update is available that modifies the default behavior of
Internet Explorer for handling user information in HTTP and in HTTPS
URLs

http://support.microsoft.com/default.aspx?scid=kb;%5Bln%5D;834489

SUMMARY
A security update is available that removes support for handling user
names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or
HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is
no longer supported in Internet Explorer or in Windows Explorer after
you install the MS04-004 Cumulative Security Update for Internet
Explorer (832894): 

http(s)://username:password@server/resource.ext

i would say, use another browser ....

On Thu, 2004-06-17 at 12:31, OPTUSBYS wrote:

Dear all,

I have discovered if I access my intranet that embeds the username and
password, it will not work on workstations have the latest Microsoft
security patches installed.

http://username:password@webserver/website


Does anyone have a solution to this because I still don't know which
security patch that inhibits the access. 

On the other hand, I don't really want to leave my workstations

unprotected

too.


Thanks for your contribution.

Much appreciated.


Regards,
Seeker.



This email message and accompanying data may contain information that is
confidential and/or subject to legal privilege. If you are not the
intended recipient, you are notified that any use, dissemination,
distribution or copying of this message or data is prohibited. If you
have received this email message in error, please notify us immediately
and erase all copies of this message and attachments.

This email is for your convenience only, you should not rely on any
information contained herein for contractual or legal purposes. You
should only rely on information and/or instructions in writing and on
company letterhead signed by authorised persons.

Current thread:

Re: unable to access web site embeds username & password, (continued)
- Re: unable to access web site embeds username & password Bill Curnow (Jun 21)
- Re: unable to access web site embeds username & password Thomas Chiverton (Jun 21)
- Re: unable to access web site embeds username & password Ivo Mencke (Jun 21)
- Re: unable to access web site embeds username & password Keith W. McCammon (Jun 21)
- RE: unable to access web site embeds username & password Michael Howard (Jun 21)
- RE: unable to access web site embeds username & password Chris Thomas (Jun 21)
- RE: unable to access web site embeds username & password Noah Gray (Jun 21)
- RE: unable to access web site embeds username & password sk3tch (Jun 21)
- Re: unable to access web site embeds username & password Kevin R. Babcock (Jun 22)
- RE: unable to access web site embeds username & password Michael Silk (Jun 24)
- RE: unable to access web site embeds username & password Noah Gray (Jun 24)
- RE: unable to access web site embeds username & password Brown, James F. (Jun 24)
  - RE: unable to access web site embeds username & password Kevin R. Babcock (Jun 23)
    - Re: unable to access web site embeds username & password Andy bentley (Jun 24)
    - Re: unable to access web site embeds username & password Robert Hajime Lanning (Jun 25)
    - Open Source Security Exhibition help Pete Herzog (Jun 26)
  - RE: unable to access web site embeds username & password Konstantin Ryabitsev (Jun 24)
    - RE: unable to access web site embeds username & password Liam Quinn (Jun 26)