Re: Security Bug in IE

From: Alun Jones [MS MVP] (alun_at_texis.invalid)
Date: 03/26/04 

Date: Thu, 25 Mar 2004 23:44:29 GMT

In article <uF5Sk0lEEHA.4080@TK2MSFTNGP09.phx.gbl>, "Karl Levinson [x y]
mvp" <levinson_k@despammed.com> wrote:
>This might or might not be a questionable design and it might be a good
>thing for Microsoft to change, if we can reproduce it.

It's similar to previous IE behaviour where IE includes the username and
password in the address bar. As has been discussed elsewhere,
shoulder-surfing is easier to do in many circumstances than monitoring an IP
connection [especially since the OP has noted that he was using IPSec to
encrypt IP traffic between his machine and his home server]

>But I'm having
>trouble figuring out how an attacker could exploit this. Not too many
>people print out the contents of FTP sites, and the attacker would probably
>need to be able to access your printer, and as was previously noted, if
>you're using FTP in the first place, especially with an ID and password,
>you're not overly concerned about basic security.

I think the deal is that IE knows this is a username and a password, and
should not be storing it in cleartext in any place that it doesn't need to -
that includes the address bar, and any printouts.

Question - with IE configured to allow http://user:password@example.com,
does it print that user name and password, too? It'd probably be a good
idea to hide that from the printout, too.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.] 

-- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | alun@texis.com.
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.

Relevant Pages

  • Re: ssl negotiation failed with Microsoft IIS
    ... They can fail when you write first ssl packet header, ... [Please don't email posters, if a Usenet response is appropriate.] ... Texas Imperial Software | Find us at http://www.wftpd.com or email ... Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (microsoft.public.platformsdk.security)
  • Re: Why does Windows allow Worms?
    ... In article, Bruce Barnett ... [Please don't email posters, if a Usenet response is appropriate.] ... Texas Imperial Software | Find us at http://www.wftpd.com or email ... Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (comp.security.misc)
  • Re: LogonUser, but no password?
    ... across a network, for instance a client certificate, or a password, but even ... [Please don't email posters, if a Usenet response is appropriate.] ... Texas Imperial Software | Find us at http://www.wftpd.com or email ... Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (microsoft.public.platformsdk.security)
  • Re: Security??
    ... It was silly of Jason to claim that he was invulnerable. ... [Please don't email posters, if a Usenet response is appropriate.] ... Texas Imperial Software | Find us at http://www.wftpd.com or email ... Cedar Park TX 78613-1419 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (microsoft.public.security)
  • Re: Windows Explorer may expose FTP passwords in plaintext
    ... in the particular case of unencrypted FTP URLs, browsers - Internet Explorer included - have been woefully remiss in displaying and storing something that they know to be a password. ... Texas Imperial Software | Web: http://www.wftpd.com/ ... Woodinville WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers. ...
    (microsoft.public.security)