Re: Thumbnail security problem?

From: Hector Santos (nospam_at_nospam.com)
Date: 11/17/03 

Date: Mon, 17 Nov 2003 02:42:43 -0500

> > Go Figure
>
> I had not saving the passwords as a gimmie for this one. I'll be
interested
> to try it on another couple of machines besides this one tomorrow and see
> what I can come up with, for a start i bet i'll start seeing the problem
on
> the first machine i try it on. I'll post you the IIS logs if it looks
> interesting.

I appreciate a comparison test. Hey, I make no bones. If its a bug with
our web server, all the better. It means I can fix it asap and be done with
it. One less support issue to deal with. :-) However, I don't think it is
a web server issue. If anything, I did consider if there could be a HTTP
header issue, such as "no-cache" or HTTP 1.0 vs 1.1 response issue? In
other words, it is possible to tell the browser to not cache the
credentials. I don't think so. But we will soon find out.

> I'm surprised no one else is interested in this thread. I know I'm boring
so
> it may be my fault, but you'd think the implications of this might
interest
> a few others!

I've been in the cyber mail business from all sides for a long time now and
pretty much seen it all. :-) I have my theories. I prefer not to go
there.

Anyway, if you prefer to go direct on this, here is an alias URL that will
allow you write to me:

                http://www.winserver.com/writetohector

it will redirect to mailto: popping up your mail client with my work email
address. This way, we don't have to clog the news article bandwidth until
we get a final conclusion. 

-- 
Hector Santos
WINSERVER "Wildcat! Interactive Net Server"
support: http://www.winserver.com
sales: http://www.santronics.com

Relevant Pages

  • Re: http TRACE option
    ... Here's the HTTP TRACE discussion from the 2nd edition of my book ... If the TRACE method is supported and the web server is running a poorly written application that is vulnerable to cross-site scripting, a cross-site tracing attack can be launched to compromise user cookie and session information. ... If the web server is running a static site with no server-side application or processing of user data, the impact of TRACE support is significantly reduced. ... XST is an attack class developed by Jeremiah Grossman in 2003 that allows authentication details presented in HTTP headers to be compromised using a combination of XSS, client-side weaknesses, and support for the HTTP TRACE method server-side. ...
    (Pen-Test)
  • [NEWS] Trend Micro InterScan VirusWall HTTP Proxy Content Scanning Circumvention
    ... Trend Micro InterScan VirusWall contains an HTTP proxy that prevents users ... from downloading virus-infected content by scanning the data received from ... a web server before passing it to the client. ... The Trend Micro InterScan VirusWall HTTP proxy contains a configuration ...
    (Securiteam)
  • Re: Auto-updating GAC; loading from GAC vs. server
    ... Web server ... The assemblies I'm talking about are form DLLs for the most part. ... When you're saying "Auto-updating GAC", ... Microsoft Online Community Support ...
    (microsoft.public.dotnet.general)
  • RE: outlook and exchange
    ... Outlook using RPC over HTTP from the PC. ... Click To Do List and then click "Connect to the Internet". ... "Create a new Web server certificate", ...
    (microsoft.public.windows.server.sbs)
  • Re: How hard is socket programming?
    ... TCP/IP send a large portion of the file before my HTTP ... TCP is in the transport protocol level. ... If a SMTP client is sending HUGE data, ... the web server will be modeled like so: ...
    (microsoft.public.vc.mfc)