Thumbnail security problem?
From: Bob (bob_at_nuclearpower.com)
Date: 11/15/03
- Previous message: Roger Abell: "Re: Force Logoff if Inactive"
- Next in thread: Robert Moir: "Re: Thumbnail security problem?"
- Reply: Robert Moir: "Re: Thumbnail security problem?"
- Reply: mae: "Re: Thumbnail security problem?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 15 Nov 2003 05:14:22 -0500
Title: Thumbnail Security Problem?
Is there a known problem with Explorer Thumbnail viewer in regards to
bypassing the basic authentication of a secured web site?
How I was able to repeat the problem:
1) Login into a web site that uses BASIC AUTHENTICATION where the browser
pops up a login dialog box. This is not a cookie base login system, but one
that uses BASIC AUTHENTICATION, a HTTP web standard.
2) Once you login, use the IE browser option "Send a Link" and send the URL
to your email address.
3) Close the browser, restart the browser and clear the cache to make sure
this is not factored in.
4) Start Outlook, if not already started and receive your email.
5) View the email, it should have a single LINK on the page that you should
be able to click.
What is expected that you are force to login. This is the proper behavior.
If you are not asked to
login, that is a problem.
6) Save the URL attachment as a file on your disk. The URL attachment can
be used as shortcut to the web site.
7) Use Explorer to show the files in THUMBNAIL mode. Highlight the URL file
and in the Thumbnail viewer, you will see the WEB SITE.
That is a PROBLEM! If you double click the URL, it should ask you to
login in. This part works as expected. However, the THUMBNAIL viewer is
automatically login you in to show the web site in that little window.
That's a security flaw.
It would be great if others can repeat this to know I am not crazy. If you
know a solution, please provide it.
Thanks
PS: I called PC-SAFETY and the tech was able to repeat the problem via the
email message link, but once he cleared the cache, it didn't happen again.
He didn't feel that was an issue! Oh Brother! Then he proceeded to blow
me off that "given the millions of web sites out there and no one reporting
this, it isn't an issue." Oh Brother! No wonder Microsoft is having such a
bad image problem! I quickly reminded him that there are people reporting
basic authentication issues and in fact, the latest IE patch, MS03-048
addresses cross-domain basic authentication issues. It went no where from
there. So I'm reporting this here.
-----
- Previous message: Roger Abell: "Re: Force Logoff if Inactive"
- Next in thread: Robert Moir: "Re: Thumbnail security problem?"
- Reply: Robert Moir: "Re: Thumbnail security problem?"
- Reply: mae: "Re: Thumbnail security problem?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
