httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sameer <sam...@c2.net>
Subject Re: [SECURITY] What to do with security bug which I found?
Date Wed, 23 Jul 1997 16:40:31 GMT
	This sort of bug is pretty weel known, where MSIE reveals
password information which it shouldn't. I suggest posting to bugtraq.


> Hi Apache Developers,
> 
> I don't know who exactly is to blame for this bug: in the referer_log of
> my apache_1.2.1, I just found a log entry...
> 
>    http://someuser:somepass@somehost/some/request/ -> http://somewhere.else
> 
> 1) The user who made the access claims he used IE3 via PPP dial up to my
>    server, and <someuser> and <somepass> are his DIALUP LOGIN / PASSWORD!
>    He claims, too, that he never entered either into the browser's "goto
>    URL" field, so IE3 must have added them without him knowing it.
>    Now is that another MS security bug!
>    [[<someuser> is not 100% sure if he used IE3 or NS3, but because NS
>    wouldn't have access to the dialup information, I _guess_ it must have
>    been IE3 because it's much more tightly coupled with the dialup
>    routines]]
> 
> 2) Apache might want to circumvent this bug by stripping <someuser>:<somepass>@
>    out of the request, as it is done for FTP requests in the proxy module.
> 
> My question to you: what should I make out of this? Does it go to CERT,
> or to MS, or to news:comp.infosystems.www.browsers.ms-windows?
> What's your tip?
> 
>     Martin
> -- 
> | S I E M E N S |  <Martin.Kraemer@mch.sni.de>  |      Siemens Nixdorf
> | ------------- |   Voice: +49-89-636-46021     |  Informationssysteme AG
> | N I X D O R F |   FAX:   +49-89-636-44994     |   81730 Munich, Germany
> ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
> 


-- 
Sameer Parekh					Voice:   510-986-8770
President					FAX:     510-986-8777
C2Net
http://www.c2.net/				sameer@c2.net

Mime
View raw message