Re: Thumbnail security problem?

From: mae (agrannie_at_notemail.msn.com)
Date: 11/17/03 

Date: Mon, 17 Nov 2003 13:10:17 -0600

I could not -only produced a blank page in the thumbnail and I did not clear the cache before. Is there any particular kind of site? I logged to my insurance company.Or maybe I don't meet some other requirement?

mae
-----------------------------------------------

"Bob" <bob@nuclearpower.com> wrote in message news:OSCy%23E2qDHA.3256@tk2msftngp13.phx.gbl...
| Title: Thumbnail Security Problem?
|
| Is there a known problem with Explorer Thumbnail viewer in regards to
| bypassing the basic authentication of a secured web site?
|
| How I was able to repeat the problem:
|
| 1) Login into a web site that uses BASIC AUTHENTICATION where the browser
| pops up a login dialog box. This is not a cookie base login system, but one
| that uses BASIC AUTHENTICATION, a HTTP web standard.
|
| 2) Once you login, use the IE browser option "Send a Link" and send the URL
| to your email address.
|
| 3) Close the browser, restart the browser and clear the cache to make sure
| this is not factored in.
|
| 4) Start Outlook, if not already started and receive your email.
|
| 5) View the email, it should have a single LINK on the page that you should
| be able to click.
|
| What is expected that you are force to login. This is the proper behavior.
| If you are not asked to
| login, that is a problem.
|
| 6) Save the URL attachment as a file on your disk. The URL attachment can
| be used as shortcut to the web site.
|
| 7) Use Explorer to show the files in THUMBNAIL mode. Highlight the URL file
| and in the Thumbnail viewer, you will see the WEB SITE.
|
| That is a PROBLEM! If you double click the URL, it should ask you to
| login in. This part works as expected. However, the THUMBNAIL viewer is
| automatically login you in to show the web site in that little window.
| That's a security flaw.
|
| It would be great if others can repeat this to know I am not crazy. If you
| know a solution, please provide it.
|
| Thanks
|
| PS: I called PC-SAFETY and the tech was able to repeat the problem via the
| email message link, but once he cleared the cache, it didn't happen again.
| He didn't feel that was an issue! Oh Brother! Then he proceeded to blow
| me off that "given the millions of web sites out there and no one reporting
| this, it isn't an issue." Oh Brother! No wonder Microsoft is having such a
| bad image problem! I quickly reminded him that there are people reporting
| basic authentication issues and in fact, the latest IE patch, MS03-048
| addresses cross-domain basic authentication issues. It went no where from
| there. So I'm reporting this here.
|
| -----
|

Relevant Pages

  • Thumbnail security problem?
    ... Is there a known problem with Explorer Thumbnail viewer in regards to ... Login into a web site that uses BASIC AUTHENTICATION where the browser ...
    (microsoft.public.security)
  • Re: Thumbnail security problem?
    ... > Title: Thumbnail Security Problem? ... > 1) Login into a web site that uses BASIC AUTHENTICATION where the ... > browser pops up a login dialog box. ...
    (microsoft.public.security)
  • Re: Thumbnail
    ... seriously amiss here than a thumbnail view issue. ... Word MVP web site www.mvps.org/word ... > I inserted "End with" in macro as I had seen in your macro webpage ...
    (microsoft.public.word.newusers)
  • Re: Thumbnail
    ... I closed and opened Word and viola, thumbnail is gone.But when I switched to ... I inserted "End with" in macro as I had seen in your macro webpage example ... > I bear no responsibility for what appears on the MVP web site, ... > already added such a macro) type autonew in the name box and choose ...
    (microsoft.public.word.newusers)
  • Login failed for user IIS APPPOOLDefaultAppPool.
    ... I downloaded the web site production files and database backup, ... SQL database and associated login, but when I try to open the local site I ... connection, String spName, Boolean includeReturnValueParameter, Object ...
    (microsoft.public.sqlserver.connect)