|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
obtain domain users password via asp server variable
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: obtain domain users password via asp server variable
- From: VINCENT LOK <vincentlVOL.NET>
- Date: Wed, 12 Aug 1998 19:26:27 +0800
- Reply-To: VINCENT LOK <vincentlVOL.NET>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
Dear all,
Just noticed that with basic authentication on IIS, one can obtain
password of users accessing the ASP page via the server variable
AUTH_PASSWORD.
The line <%= Request.ServerVariables("AUTH_PASSWORD") %>
in an asp file will do the trick.
With this, web page authors/content providers (probably not the
same person who administers the web server and NT domain) can easily
trap password of other domain users.
Basic authentication is never secure as it is possible to capture
password by sniffing and decoding the authentication packets, but this
would require accessibility to the network and some (though not much)
technical expertise.
It is just too easy for someone to trap passwords simply using a few
lines of ASP code. Can this be considered as a SEB?
Regards,
Vincent Lok
- Prev by Date: Re: ISS vs. CyberCop - My findings.
- Next by Date: Re: obtain domain users password via asp server variable
- Prev by thread: Re: Strange NT Log Entries
- Next by thread: Re: obtain domain users password via asp server variable
- Index(es):