[10903] in bugtraq
Re: IIS 4.0 admin bug
daemon@ATHENA.MIT.EDU (Aleph One)
Fri Jun 25 13:05:05 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990625105815.B13272@underground.org>
Date: Fri, 25 Jun 1999 10:58:15 -0700
Reply-To: Aleph One <aleph1@UNDERGROUND.ORG>
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <D1A11CCE78ADD111A35500805FD43F5801979189@RED-MSG-04>
Folks, the password must be stored in clear text. The best you
can do is obfuscate it. Its just a fact you need the plain text
password under NT to impersonate an account unless they have connected
to the server through a named pipe or some other similar mechanism.
This is why IIS need to password to impersonate the account that
owns the directory to access it.
--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
