|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
2 Bugs, IIS and IE 5.0
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: 2 Bugs, IIS and IE 5.0
- From: Joe Foley <jfoleyCLARK.NET>
- Date: Tue, 18 May 1999 12:14:09 -0400
- Approved-By: Russ.CooperRC.ON.CA
- Organization: Flagship Customs Services, Inc.
- Reply-To: Joe Foley <jfoleyCLARK.NET>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
Hello All, first time poster here One of these is a bug that Microsoft has already acknowledged (The one in IIS, which will get less attention here). The other (in IE 5.0) they probably consider a new security feature and would probably say that i've got a huge security hole in my system. I would disagree with this.. Here is the situation: A user enters a site that is controlled by HTTP Basic Authentication and enters his/her username and password. As they continue to work on the site, the credentials that they have entered are passed with each request transparently. At a point later in the site, they run javascript that opens a pop-up window on the same site ( via window.open(name,URL,"options") ). Bear in mind that the URL requested in the window.open is on the same server, and even in the same directory of the document that contains the javascript where the window.open is run Bug No. 1 --- IE 5.0 DOES NOT pass the credentials (username/password) with the request for the URL in the window.open. Bug No. 2 --- IIS 3.0 (and i believe other versions) on a site that has both anonymous and authenticated areas does not ask the browser for credentials on a CGI script that requires them, it will just run the script as the IUSR_computername account, which in this case results in a 'Permission Denied' when it tries to run. If you have previously authenticated and a CGI request recieves the username/password without asking, it will run as the username specified. Notes: 1. IE 4.0/3.0 & All versions of Netscape have previously passed the credentials in the request to the URL in window.open. 2. I can understand a browser not passing credentials it has cached if a document requests a protected URL on a different server. 3. When, for testing, the server side of this app is run on a different server (Sun/Apache), and the server sees the the request without credential, it prompts the browser to ask for them. 4. I have to run this app on IIS for other security reasons. The popup window in question is used for a code lookup that needs to access our database ( via a ISAPI dll that only runs w/NT & IIS ) and in order for the codes to be automatically posted from the popup window back to the form in the original window, both must be from the same server (A security policy that makes perfect sense, and only IE4.0 implements properly) 5. By 'caching' the credentials, i'm not referring to the 'Save Username/Password' option that you get when presented with the username/password dialog Any Thoughts on this Situation??? Thanks, Joe Foley
begin:vcard n:Foley;Joe tel;pager:888.830.0038 tel;fax:301.562.7795 tel;work:301.562.7790 x-mozilla-html:TRUE url:http://www.trade-2000.com org:Flagship Customs Services, Inc. version:2.1 email;internet:jfoley
- Prev by Date: NetUserChangePassword WinAPI
- Next by Date: Re: NetUserChangePassword WinAPI
- Prev by thread: Re: NetUserChangePassword WinAPI
- Next by thread: Re: 2 Bugs, IIS and IE 5.0
- Index(es):