Re: [PEN-TEST] HTML source code and authentication

["Adams, Gavin" <gadams () PROMISANT COM>]

Well,

I don't think knowing the .dll name is necessarily bad, but what would
intrigue me is the /scripts directory. If the server hasn't bee patched,
the UNICODE exploit (among others) could garner some trophies.

Look at some sites such as www.thawte.com who use similar methods.

 -----Original Message-----
From:   Skinner, Tim L. [mailto:tskinner () LARSONALLEN COM] 
Sent:   Monday, December 18, 2000 15:13
To:     PEN-TEST () SECURITYFOCUS COM
Subject:             [PEN-TEST] HTML source code and authentication

Hi all,

I must first appologize about my general ignorance of HTML, but I've
been
asked to look into this.  I have a question regarding the source code of
a
web page that authenticates users.  The snipit of source code from the
web
page in question is as follows:

#<H2><font color=9771824>Member Sign On</font></H2>
#<form name="signon" action="/scripts/ibank.dll" method=post>
#<INPUT TYPE ="HIDDEN" NAME=Func VALUE="SignOn">
#<INPUT TYPE=HIDDEN NAME=Frames VALUE="150">
#<INPUT TYPE ="HIDDEN" NAME=homepath VALUE="cu3">

It leaves me wondering if the referenced ibank.dll file is some
authentication program of some sort and if the availability of this
information simply by clicking on 'view source' is a potential problem.
Furthermore, is there a way to obscure this information if it is risk?