Bugtraq mailing list archives
Cleartext Password display in NS Communicator
From: fred () DOTCOM FR (Fred Albrecht)
Date: Wed, 2 Jul 1997 17:33:43 +0200
The following has been tested with Netscape Communicator 4.0 on NT 4 and 4.0b4 on Linux with the same results : Problem: The plaintext password for a machine accessed through FTP is displayed by Communicator in some cases : Method for reproduction 1. start NS Communicator 2. enter a URL of the form « ftp://user@host » 3. fill in the password in the box that Communicator pops up 4. when the file list is displayed, follow the « Parent Directory » link 5. click « back » (seems to be optional in Linux) The password is now plainly visible in the URL field : « ftp://user:passwd@host » This is of course a bad thing especially since JavaScript programs can access the history list. I haven't had time to experiment with JavaScript regarding this but I'm certain someone will :) This has interesting potential. Netscape has been notified of the problem. Fred. -- ---------------------------------------------------------- DotCom - Communication Numérique http://www.dotcom.fr mailto:info () dotcom fr +33 01 46 67 51 00 "We use only the freshest handpicked electrons" ----------------------------------------------------------
Current thread:
- Cleartext Password display in NS Communicator Fred Albrecht (Jul 02)
- Re: Cleartext Password display in NS Communicator Holger Kanzog (Jul 02)
- Re: Cleartext Password display in NS Communicator Fred Albrecht (Jul 02)
- Re: Cleartext Password display in NS Communicator Oskar Pearson (Jul 03)
- BugTraq Web Archive Aleph One (Jul 02)
- gcc port of IIServerSlayer Andrea Arcangeli (Jul 02)
- Solaris 2.5 syslog startup failure Lauren P. Burka (Jul 02)
- Vulnerability in GlimpseHTTP - more notes Razvan Dragomirescu (Jul 02)
- ircd exploit Aaron Campbell (Jul 02)
- Re: Cleartext Password display in NS Communicator Fred Albrecht (Jul 02)
- Re: Cleartext Password display in NS Communicator Holger Kanzog (Jul 02)