[1262] in WWW Security List Archive
Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
daemon@ATHENA.MIT.EDU (Ralph C. Wolman)
Mon Dec 18 18:26:13 1995
Date: Mon, 18 Dec 1995 16:13:09 -0500 (EST)
From: "Ralph C. Wolman" <rcw@netrix.com>
To: "Lincoln D. Stein" <lstein@genome.wi.mit.edu>
Cc: www-security@ns2.rutgers.edu, jcarroll@redman.canada.dg.com,
tara@linkage.cpmc.columbia.edu
In-Reply-To: <v02140347acfb43d46e03@[18.157.0.189]>
Errors-To: owner-www-security@ns2.rutgers.edu
I cannot duplicate this problem in the 32 bit beta 2.0b3 version of
Netscape for WIndows.
Regards,
Ralph Wolman
On Mon, 18 Dec 1995, Lincoln D. Stein wrote:
> A potentially serious bug has just come to my attention concerning the
> handling of password-protected pages accessed via Netscape 2.0b3.
> Apparently when you type in the password to access a protected document
> Netscape stores the password in a local hidden file (in one of the .db
> files created in the .netscape directory on UNIX systems, and in the
> Netscape Preferences file on Macintoshes). This password is then used for
> accessing the document during subsequent accesses. The problem is that
> Netscape does not delete the stored password when the program quits.
>
> The problem has been reproduced on Unix and Macintosh platforms. I haven't
> tried the Windows implementation yet, but I suspect the same problem
> exists.
>
> This leads to the following behavior:
>
> 1) Open up Netscape and access a password-protected document.
> 2) Quit Netscape
> 3) Start Netscape again and try to retrieve the document. When the
> password-entry dialog comes up, click "Cancel".
> 4) Try to access the document a second time. Now Netscape lets you
> in without asking for the password!
>
> On Unix systems, this means that if you go over to a associate's machine to
> show him a protected document, Netscape will record your typed in password
> for posterity. Your associate now has full access to this page.
>
> The situation is particularly dangerous on PCs in a shared "computer lab"
> environment. Everybody who uses Netscape unwittingly makes his passwords
> available to all other users.
>
> Please let me know if anyone finds out more about this problem. I'm going
> to add it to the WWW security FAQ.
>
> Lincoln
>
> ========================================================================
> Lincoln Stein, M.D.,Ph.D. lstein@genome.wi.mit.edu
> Director: Informatics Core
> MIT Genome Center (617) 252-1916
> Whitehead Institute for Biomedical Research (617) 252-1902 FAX
> One Kendall Square
> Cambridge, MA 02139
> =================http://www-genome.wi.mit.edu/~lstein====================
>
>
>
-----
Ralph Wolman
Netrix Corporation
13595 Dulles Technology Drive
Herndon, VA. 22071
