httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: [SECURITY] What to do with security bug which I found?
Date Thu, 24 Jul 1997 13:00:50 GMT

I agree with the comments about MS's handling of password data, 
however, I think that in this case, the browser has supplied Apache 
with the information, what we do with it is our responsibility. 
Handling this case is rather sticky. This may be an issue where we 
need to document the fact that these sorts of log files contain 
sensitive information and should not be stored with permissions 
allowing unauthorized access. The challenge is then left up to the 
admin....


> 	This sort of bug is pretty weel known, where MSIE reveals
> password information which it shouldn't. I suggest posting to bugtraq.
> 
> 
> > Hi Apache Developers,
> > 
> > I don't know who exactly is to blame for this bug: in the referer_log of
> > my apache_1.2.1, I just found a log entry...
> > 
> >    http://someuser:somepass@somehost/some/request/ -> http://somewhere.else
> > 
> > 1) The user who made the access claims he used IE3 via PPP dial up to my
> >    server, and <someuser> and <somepass> are his DIALUP LOGIN / PASSWORD!
> >    He claims, too, that he never entered either into the browser's "goto
> >    URL" field, so IE3 must have added them without him knowing it.
> >    Now is that another MS security bug!
> >    [[<someuser> is not 100% sure if he used IE3 or NS3, but because NS
> >    wouldn't have access to the dialup information, I _guess_ it must have
> >    been IE3 because it's much more tightly coupled with the dialup
> >    routines]]
> > 
> > 2) Apache might want to circumvent this bug by stripping <someuser>:<somepass>@
> >    out of the request, as it is done for FTP requests in the proxy module.
> > 
> > My question to you: what should I make out of this? Does it go to CERT,
> > or to MS, or to news:comp.infosystems.www.browsers.ms-windows?
> > What's your tip?
> > 
> >     Martin
> > -- 
> > | S I E M E N S |  <Martin.Kraemer@mch.sni.de>  |      Siemens Nixdorf
> > | ------------- |   Voice: +49-89-636-46021     |  Informationssysteme AG
> > | N I X D O R F |   FAX:   +49-89-636-44994     |   81730 Munich, Germany
> > ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
> > 
> 
> 
> -- 
> Sameer Parekh					Voice:   510-986-8770
> President					FAX:     510-986-8777
> C2Net
> http://www.c2.net/				sameer@c2.net



Mime
View raw message