WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: unable to access web site embeds username & password

From: Liam Quinn <liam () htmlhelp com>
Date: Fri, 25 Jun 2004 00:00:09 -0400 (EDT)
On Thu, 24 Jun 2004, Konstantin Ryabitsev wrote:


On Tue, 2004-06-22 at 16:36, Brown, James F. wrote:

Keep in mind that passing passwords on the URL like this horribly
insecure. Your password will wind up sitting in web server logs, proxy
server logs and will in some cases get sent off to other sites via the
http referer mechanism.


I don't think that's correct. We're talking about this format:

http://username:password () web site tld/

To my knowledge this will instruct the server to pass the login
information as part of the HTTP header in response to a 40x, not as part
of the actual URL, so it will not be stored in access logs on the
end-site, or on the proxy server.


Depending on the user-agent, the URL including username:password may be 
sent in the HTTP Referer header, which is commonly logged.  That's 
generally considered a bug in the user-agent, but it's an easy mistake to 
make:

http://www.kde.org/info/security/advisory-20030729-1.txt

        Konqueror may inadvertently send authentication credentials to
    websites other than the intended website in clear text via the 
    HTTP-referer header when authentication credentials are passed as part 
    of a URL in the form of http://user:password@host/

-- 
Liam Quinn
Previous By Date Next
Previous By Thread Next

Current thread: