Form insecurity in Netscape

[kelani () KELANI COM (kelani)]

*resubmitted with the offending paragraph removed, thanks for your
patience, O phearable one.*

Greetings all,

Apologies if it has already been known or was discussed earlier. I see no
mention in the archive, and it's such an obvious thing...

In the Netscape Navigator 3.x and Communicator 4.x installations at my
school, where all users share a common login, Navigator seems to write a
'nsformXX.tmp' file when a user fills out a form on a webpage. This file
contains the fields the user filled in as plaintext, and looks like this:

Content-type: multipart/form-data;
boundary=---------------------------158841797149
Content-Length: 108

-----------------------------158841797149
Content-Disposition: form-data; name="username"

joe_user
-----------------------------158841797149
Content-Disposition: form-data; name="password"

password
-----------------------------158841797149--

etc...

Scanning through the networked drives brought forth over 1000 such files,
dating back months; most with complete login and password information to
users' web mail accounts, personal homepages, and even a few credit-card
numbers.

Setting memory / disk cache to various settings, including "0" didn't seem
to fix the problem, nor did clearing the cache. Also, not all forms seem to
cause this write-to-disk activity, and the location of these files almost
always seems to be in the temp directory specified in autoexec.bat

I've seen this happen on machines running Win 3.1, 95, 98 and NT4 (SP3). I
haven't had an opportunity to test a Mac, and my Linux box doesn't seem to
be affected.

So far, the only workaround I've used is to make sure all such files are
deleted on shutdown, but that hardly helps the unknowing school/public
library user much..

Any ideas?

Kind regards,

Kelani


          - kelani -
  -+- http://kelani.com -+-
v7 photorealistic - interactive