Re: Basic Authorization Security Issue?

From: Hector Santos (nospam_at_nospam.com)
Date: 10/29/03 

Date: Wed, 29 Oct 2003 05:36:59 -0500

Can someone at Microsoft or a MVP please acknowledge this one way or
another?

The silence is making me think this is a real problem and that a fix is
pending in the monthly fixes.

I just need to know if this is the case or if it is a possible for a version
of IE to automatically recall Basic Authentication credentials. I know it
doesn't make sense but I have exhausted all possible setup options (that I
am familiar with) with the customer. We have verified that closing the
browser and simply restarting to browser and going back to the web site
allows him to automatically relogin into a basic authentication intranet.

If I don't hear anything soon, I will basically assume it is a security
problem .NET components integrated into IE and simply pass it on to the
customer to work with Microsoft. I don't have time for this baloney. 

-- 
Hector Santos
Santronics Software, Inc.
http://www.santronics.com
"Hector Santos" <nospam@nospam.com> wrote in message
news:ef0uc0QnDHA.3320@tk2msftngp13.phx.gbl...
> I find the following to be an unbelievable claim by a IE user, but is the
> following possible?
>
> I have a customer using our intranet who is saying he is having a Basic
> Authentication security issue with his setup. He says (paraphrased):
>
>             "Even if I close the browser,  when I restart it, I can
> immediate log into the web server again
>              without any basic authorization IE POPUP Dialog login box.
It
> seems like closing the browser
>              is not releasing the credentials as you say it should when
the
> browser is closed."
>
> What gives?    Is this possible?  I gave even reason to indicate that this
> claim with be a major issue with IE and thus since no one else is
reporting
> it, I find it hard to believe.
>
> Today, he confirmed it again saying he has not been to our support web
site
> in days and today he restarted the browser, went to our web site and he
was
> immediately logged in again with any login dialog problem.
>
> I checked our web logs and sure seems to confirm his claim.
>
> When an non-authorized URL request  in our intranet web server is
attempted,
> an 401 Authorization Error is sent for the response.   This forces the
> browser to popup the Basic Authentication login dialog box.  The request
is
> resent with the basic authorization credentials and the user is logged in.
> The only possible way the web server can get the user account name and
> password is with the HTTP standard Authorization: Basic line.
>
> Based on the web logs, I am seeing the first URL from this specific guy as
a
> successful authorized request thus somewhat validating his claim.  The
> reference URL does not any login information (i.e,
> http://user:pwd@domain.com).  Even if it was, you can only pass the
> username/password on the url using a special URL alias that redirections
> them.   I don't have my detail socket trace enabled so I can't
see/validate
> the GET request block having the authorization header line, but it has to
be
> there if he is logged in with this request which is verified with his user
> name logged.
>
> X.Y.Z.W - MARK XXXXX - [27/Oct/2003:22:44:06 -0500] "GET / HTTP/1.1" 302
141
> "http://www.santronics.com/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT
> 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)" XXXXXXXXXXXXXXXXXXXXXX
>
> Based on the WEB log entry, he is using the IE browser:
>
> (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR
1.1.4322)
>
> Is this possible with IE?  It is a known issue?
>
>
> -- 
> Hector Santos
> WINSERVER "Wildcat! Interactive Net Server"
> support: http://www.winserver.com
> sales: http://www.santronics.com
>

Relevant Pages

  • Basic Authorization Security Issue?
    ... seems like closing the browser ... When an non-authorized URL request in our intranet web server is attempted, ... resent with the basic authorization credentials and the user is logged in. ...
    (microsoft.public.security)
  • Re: Pass through authentication
    ... request authenticated with basic is no indication that the next request ... I think when you use BASIC AUTHENTICATION the ... > browser sends the pasword in a header obfuscated by BASE64 encoding. ... > client responds to a 401 response returned by the server. ...
    (microsoft.public.inetserver.iis.security)
  • Re: HttpHandler and security
    ... Since he wants basic authentication as well, IIS will basically just do it. ... them in the "authorization" header in the next request. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Custom 401 page problems
    ... Since you configured IIS to send a staic for this ... Now, a 401 response comes back to the client, and the entite body is the ... it is going to make a new request for this resource ... What request do you think the browser makes to fetch the 401.gif ??? ...
    (microsoft.public.inetserver.iis)
  • Re: How to write something to a html textfield and send it?
    ... > No need for controlling any particular browser. ... I'm not familiar with HTTP user ... and building the request in your program. ... The server doesn't know anything about a textfield; ...
    (comp.programming)