Re: Thumbnail security problem?

From: mae (agrannie_at_notemail.msn.com)
Date: 11/17/03 

Date: Mon, 17 Nov 2003 13:10:17 -0600

I could not -only produced a blank page in the thumbnail and I did not clear the cache before. Is there any particular kind of site? I logged to my insurance company.Or maybe I don't meet some other requirement?

mae
-----------------------------------------------

"Bob" <bob@nuclearpower.com> wrote in message news:OSCy%23E2qDHA.3256@tk2msftngp13.phx.gbl...
| Title: Thumbnail Security Problem?
|
| Is there a known problem with Explorer Thumbnail viewer in regards to
| bypassing the basic authentication of a secured web site?
|
| How I was able to repeat the problem:
|
| 1) Login into a web site that uses BASIC AUTHENTICATION where the browser
| pops up a login dialog box. This is not a cookie base login system, but one
| that uses BASIC AUTHENTICATION, a HTTP web standard.
|
| 2) Once you login, use the IE browser option "Send a Link" and send the URL
| to your email address.
|
| 3) Close the browser, restart the browser and clear the cache to make sure
| this is not factored in.
|
| 4) Start Outlook, if not already started and receive your email.
|
| 5) View the email, it should have a single LINK on the page that you should
| be able to click.
|
| What is expected that you are force to login. This is the proper behavior.
| If you are not asked to
| login, that is a problem.
|
| 6) Save the URL attachment as a file on your disk. The URL attachment can
| be used as shortcut to the web site.
|
| 7) Use Explorer to show the files in THUMBNAIL mode. Highlight the URL file
| and in the Thumbnail viewer, you will see the WEB SITE.
|
| That is a PROBLEM! If you double click the URL, it should ask you to
| login in. This part works as expected. However, the THUMBNAIL viewer is
| automatically login you in to show the web site in that little window.
| That's a security flaw.
|
| It would be great if others can repeat this to know I am not crazy. If you
| know a solution, please provide it.
|
| Thanks
|
| PS: I called PC-SAFETY and the tech was able to repeat the problem via the
| email message link, but once he cleared the cache, it didn't happen again.
| He didn't feel that was an issue! Oh Brother! Then he proceeded to blow
| me off that "given the millions of web sites out there and no one reporting
| this, it isn't an issue." Oh Brother! No wonder Microsoft is having such a
| bad image problem! I quickly reminded him that there are people reporting
| basic authentication issues and in fact, the latest IE patch, MS03-048
| addresses cross-domain basic authentication issues. It went no where from
| there. So I'm reporting this here.
|
| -----
|

Relevant Pages

  • Thumbnail security problem?
    ... Is there a known problem with Explorer Thumbnail viewer in regards to ... Login into a web site that uses BASIC AUTHENTICATION where the browser ...
    (microsoft.public.security)
  • Re: Thumbnail security problem?
    ... > Title: Thumbnail Security Problem? ... > 1) Login into a web site that uses BASIC AUTHENTICATION where the ... > browser pops up a login dialog box. ...
    (microsoft.public.security)
  • Re: Thumbnail
    ... seriously amiss here than a thumbnail view issue. ... Word MVP web site www.mvps.org/word ... > I inserted "End with" in macro as I had seen in your macro webpage ...
    (microsoft.public.word.newusers)
  • Re: Thumbnail
    ... I closed and opened Word and viola, thumbnail is gone.But when I switched to ... I inserted "End with" in macro as I had seen in your macro webpage example ... > I bear no responsibility for what appears on the MVP web site, ... > already added such a macro) type autonew in the name box and choose ...
    (microsoft.public.word.newusers)
  • MySpace Data Phished and Leaked
    ... MySpace user login and password data has recently been ... exposed and posted online. ... researchers looking into the phishing techniques ... were quickly updated to warn users visiting the Web site. ...
    (comp.security.misc)