Re: 2 Bugs, IIS and IE 5.0
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: 2 Bugs, IIS and IE 5.0
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM
- Subject: Re: 2 Bugs, IIS and IE 5.0
- From: Microsoft BV WWW <msbvwwwMICROSOFT.COM>
- Date: Tue, 18 May 1999 12:19:04 -0700
- Approved-By: Russ.CooperRC.ON.CA
- Comments: To: Joe Foley <jfoleyCLARK.NET>
- Reply-To: Microsoft BV WWW <msbvwwwMICROSOFT.COM>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
Regarding Nr1 ... do you have IE5 'Launch browser windows in a separate
process' enabled ... Tools/Internet Options/Advanced/Browsing. If that is
the case then each new window that is opened behaves entirely on it's own
and the first request will be exactly like the first request of you original
browser window. If using IIS Sessions you would see that the new windows is
also getting it's own session to the server.
That would explain why the credentials were not being sent along. If you
don't have this setting enabled ... something else is up.
^ David
-----Original Message-----
From: Joe Foley [mailto:jfoleyCLARK.NET]
Sent: Tuesday, May 18, 1999 18:14
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: 2 Bugs, IIS and IE 5.0
Hello All, first time poster here
One of these is a bug that Microsoft has already acknowledged (The one
in IIS, which will get less attention here). The other (in IE 5.0) they
probably consider a new security feature and would probably say that
i've got a huge security hole in my system. I would disagree with
this..
Here is the situation:
A user enters a site that is controlled by HTTP Basic Authentication and
enters his/her username and password. As they continue to work on the
site, the credentials that they have entered are passed with each
request transparently.
At a point later in the site, they run javascript that opens a pop-up
window on the same site ( via window.open(name,URL,"options") ). Bear
in mind that the URL requested in the window.open is on the same server,
and even in the same directory of the document that contains the
javascript where the window.open is run
Bug No. 1 ---
IE 5.0 DOES NOT pass the credentials (username/password) with the
request for the URL in the window.open.
Bug No. 2 ---
IIS 3.0 (and i believe other versions) on a site that has both anonymous
and authenticated areas does not ask the browser for credentials on a
CGI script that requires them, it will just run the script as the
IUSR_computername account, which in this case results in a 'Permission
Denied' when it tries to run. If you have previously authenticated and
a CGI request recieves the username/password without asking, it will run
as the username specified.
Notes:
1. IE 4.0/3.0 & All versions of Netscape have previously passed the
credentials in the request to the URL in window.open.
2. I can understand a browser not passing credentials it has cached if
a document requests a protected URL on a different server.
3. When, for testing, the server side of this app is run on a different
server (Sun/Apache), and the server sees the the request without
credential, it prompts the browser to ask for them.
4. I have to run this app on IIS for other security reasons. The popup
window in question is used for a code lookup that needs to access our
database ( via a ISAPI dll that only runs w/NT & IIS ) and in order for
the codes to be automatically posted from the popup window back to the
form in the original window, both must be from the same server (A
security policy that makes perfect sense, and only IE4.0 implements
properly)
5. By 'caching' the credentials, i'm not referring to the 'Save
Username/Password' option that you get when presented with the
username/password dialog
Any Thoughts on this Situation???
Thanks,
Joe Foley
