httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Kraemer <Martin.Krae...@mch.sni.de>
Subject [SECURITY] What to do with security bug which I found?
Date Wed, 23 Jul 1997 13:53:46 GMT
Hi Apache Developers,

I don't know who exactly is to blame for this bug: in the referer_log of
my apache_1.2.1, I just found a log entry...

   http://someuser:somepass@somehost/some/request/ -> http://somewhere.else

1) The user who made the access claims he used IE3 via PPP dial up to my
   server, and <someuser> and <somepass> are his DIALUP LOGIN / PASSWORD!
   He claims, too, that he never entered either into the browser's "goto
   URL" field, so IE3 must have added them without him knowing it.
   Now is that another MS security bug!
   [[<someuser> is not 100% sure if he used IE3 or NS3, but because NS
   wouldn't have access to the dialup information, I _guess_ it must have
   been IE3 because it's much more tightly coupled with the dialup
   routines]]

2) Apache might want to circumvent this bug by stripping <someuser>:<somepass>@
   out of the request, as it is done for FTP requests in the proxy module.

My question to you: what should I make out of this? Does it go to CERT,
or to MS, or to news:comp.infosystems.www.browsers.ms-windows?
What's your tip?

    Martin
-- 
| S I E M E N S |  <Martin.Kraemer@mch.sni.de>  |      Siemens Nixdorf
| ------------- |   Voice: +49-89-636-46021     |  Informationssysteme AG
| N I X D O R F |   FAX:   +49-89-636-44994     |   81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request

Mime
View raw message