Penetration Testing mailing list archives
Re: [PEN-TEST] HTML source code and authentication
From: "Adams, Gavin" <gadams () PROMISANT COM>
Date: Mon, 18 Dec 2000 15:50:14 -0400
Well, I don't think knowing the .dll name is necessarily bad, but what would intrigue me is the /scripts directory. If the server hasn't bee patched, the UNICODE exploit (among others) could garner some trophies. Look at some sites such as www.thawte.com who use similar methods. -----Original Message----- From: Skinner, Tim L. [mailto:tskinner () LARSONALLEN COM] Sent: Monday, December 18, 2000 15:13 To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] HTML source code and authentication Hi all, I must first appologize about my general ignorance of HTML, but I've been asked to look into this. I have a question regarding the source code of a web page that authenticates users. The snipit of source code from the web page in question is as follows: #<H2><font color=9771824>Member Sign On</font></H2> #<form name="signon" action="/scripts/ibank.dll" method=post> #<INPUT TYPE ="HIDDEN" NAME=Func VALUE="SignOn"> #<INPUT TYPE=HIDDEN NAME=Frames VALUE="150"> #<INPUT TYPE ="HIDDEN" NAME=homepath VALUE="cu3"> It leaves me wondering if the referenced ibank.dll file is some authentication program of some sort and if the availability of this information simply by clicking on 'view source' is a potential problem. Furthermore, is there a way to obscure this information if it is risk?
Current thread:
- [PEN-TEST] HTML source code and authentication Skinner, Tim L. (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Bennett Todd (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication c0ncept (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication NetW3.COM Consulting (Dec 19)
- <Possible follow-ups>
- Re: [PEN-TEST] HTML source code and authentication Adams, Gavin (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Yonatan Bokovza (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Chris Tobkin (Dec 18)
- Re: [PEN-TEST] HTML source code and authentication Martijn Prummel (Dec 19)