Re: Getting round website authentication with Firefox

• Previous message: E. Kellinis: "Re: several vulnerabilities present in Belkin wireless routers"
• In reply to: account.throw_at_gmail.com: "Getting round website authentication with Firefox"
• Next in thread: Nate Smith: "Re: Getting round website authentication with Firefox"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 28 Jul 2005 01:55:10 +0200
To: bugtraq@securityfocus.com

account.throw@gmail.com wrote:
> Using firefox's "save target as" feature, you can get round web authentication.
>
> Make a password protected directory (with a video file inside) (using .htaccess and htpasswd), check that it actully requires a login when you click the link to the video normally, then create a hyperlink to the file, right click save as - oh snap, it doesn't ask for authentication.
>
> I've only tested it with a video file and Firefox 1.0.6.

Nope. This cannot work, you probably messed up your basic auth settings in
Apache. If you perform a HEAD /protected/video.avi, you will already see the 401
header - and there is no way to bypass that with a client.

For the sake of the argument, I actually tried it out - and it doesn't work (of
course).

I'd suspect that you a) didn't configure the basic auth properly or b) have run
into the infamous basic auth caching issue (a.k.a. "we can't log out users with
basic auth").

--ck

• Previous message: E. Kellinis: "Re: several vulnerabilities present in Belkin wireless routers"
• In reply to: account.throw_at_gmail.com: "Getting round website authentication with Firefox"
• Next in thread: Nate Smith: "Re: Getting round website authentication with Firefox"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]