WebApp Sec mailing list archives
RE: unable to access web site embeds username & password
From: Liam Quinn <liam () htmlhelp com>
Date: Fri, 25 Jun 2004 00:00:09 -0400 (EDT)
On Thu, 24 Jun 2004, Konstantin Ryabitsev wrote:
On Tue, 2004-06-22 at 16:36, Brown, James F. wrote:Keep in mind that passing passwords on the URL like this horribly insecure. Your password will wind up sitting in web server logs, proxy server logs and will in some cases get sent off to other sites via the http referer mechanism.I don't think that's correct. We're talking about this format: http://username:password () web site tld/ To my knowledge this will instruct the server to pass the login information as part of the HTTP header in response to a 40x, not as part of the actual URL, so it will not be stored in access logs on the end-site, or on the proxy server.
Depending on the user-agent, the URL including username:password may be sent in the HTTP Referer header, which is commonly logged. That's generally considered a bug in the user-agent, but it's an easy mistake to make: http://www.kde.org/info/security/advisory-20030729-1.txt Konqueror may inadvertently send authentication credentials to websites other than the intended website in clear text via the HTTP-referer header when authentication credentials are passed as part of a URL in the form of http://user:password@host/ -- Liam Quinn
Current thread:
- RE: unable to access web site embeds username & password, (continued)
- RE: unable to access web site embeds username & password sk3tch (Jun 21)
- Re: unable to access web site embeds username & password Kevin R. Babcock (Jun 22)
- RE: unable to access web site embeds username & password Michael Silk (Jun 24)
- RE: unable to access web site embeds username & password Noah Gray (Jun 24)
- RE: unable to access web site embeds username & password Brown, James F. (Jun 24)
- RE: unable to access web site embeds username & password Kevin R. Babcock (Jun 23)
- Re: unable to access web site embeds username & password Andy bentley (Jun 24)
- Re: unable to access web site embeds username & password Robert Hajime Lanning (Jun 25)
- Open Source Security Exhibition help Pete Herzog (Jun 26)
- RE: unable to access web site embeds username & password Konstantin Ryabitsev (Jun 24)
- RE: unable to access web site embeds username & password Liam Quinn (Jun 26)
- RE: unable to access web site embeds username & password Kevin R. Babcock (Jun 23)