FTP "Network Place" with saved password will reveal cached password

["Aaron Heck" <AHeck () ouc bc ca>]

Summary:
When a "Network Place" has been added to "My Network Places" with a
saved username and password it is possible to get Explorer to display
the password in cleartext format by altering the path in the address
bar.
 
Details:
Client Computer: Windows XP Professional (v5.1.2600)
Server Computer: FreeBSD v4.3/4.4 (appears to be server independant but
only tested on FreeBSD servers)
 
I have not tested this in 2000 but I suspect it will behave in a similar
fashion.
 
Methodology example:
FreeBSD server   ftp.someplace.com
Home directory is /usr/home/someuser
Login name is someuser
Password is somepass
 
Double click on My Network Places.
Double Click on Add Network Place
Provide the internet address of ftp://ftp.someplace.com
Provide, when prompted, the username of someuser by deselecting
anonymous login.  Windows will inform you that you will be prompted for
a password.
You can select to "open this network place when I click Finish"
(although it doesn't make a difference if you open the network place
from this dialog or later from the "My Network Places" window.
When prompted, provide your password.  Click the checkbox that says
"remember my password".
You'll now be logged in and your address bar should read something like:
    ftp://someuser () ftp someplace com/
Note there is no password.
Click on the address bar and add, to the end of the address, ../
Your address bar will change again but will not reveal the password.
    ftp://someuser () ftp someplace com/../
Click on the address bar yet again and add, to the end of the address,
another ../
The title bar will now appear like this:
    ftp://someuser:somepass () ftp someplace com/usr/home/someuser/../../
 
When I did this, the directory listing correctly points to the root
directory of my FreeBSD server but the address bar reveals my password
in plaintext format.
 
 
I'm not sure if this is by design but I suspect not.
 
By the way, this behaviour occurs whether you tell windows to remember
your password or not.  I didn't think it was a problem for sessions
where you're not telling it to remember your password since you'd have
to be there to enter your password to get into the session anyways.  But
for network places with a saved password I think this is a potential
security hole because people at the machine or with access to the
machine could go into your saved network place and get it to regurgitate
your password.
 
Anyways, I couldn't find a place on MS's web site to report this flaw
(if it is a flaw) so this is the only address I'm sending this to.
 
Thanks!
 
Aaron Heck
Instructional Microcomputer Resource Coordinator
Okanagan University College
aheck () ouc bc ca