|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: obtain domain users password via asp server variable
- To: NTBUGTRAQ
LISTSERV.NTBUGTRAQ.COM - Subject: Re: obtain domain users password via asp server variable
- From: Russ <Russ.CooperRC.ON.CA>
- Date: Wed, 12 Aug 1998 10:04:56 -0400
- Comments: To: VINCENT LOK <vincentlVOL.NET>
- Reply-To: Russ <Russ.CooperRC.ON.CA>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
Vincent said... >It is just too easy for someone to trap passwords simply using a >few lines of ASP code. Can this be considered as a SEB? This isn't a SEB, but its worth knowing. A Basic Authentication IIS site is going to prompt the user for a userID and password. If they're operating in a normal NT site, this is going to be an abnormal prompt (they don't get prompted for sites that use NTLM, or anything else that uses the NT Challenge/Response mechanism). As such, it should trigger a reaction "Why am I being asked for a password?". Luckily we made a stink during the IIS betas over the lack of any dialog when enabling Basic Authentication for IIS. Now we have nice lengthy and informative dialogs that explain the risks of doing this. Anyone who accepts Basic Authentication after reading that dialog should already be aware of the risks of doing so. If the alternative is to store the password in a cookie, I'd say that this is just as insecure as being able to retrieve it from a server variable (if not identical). Cheers, Russ
- Prev by Date: Re: obtain domain users password via asp server variable
- Next by Date: Re: ISS vs. CyberCop - My findings.
- Prev by thread: Re: obtain domain users password via asp server variable
- Next by thread: Re: obtain domain users password via asp server variable
- Index(es):