[11500] in bugtraq
Re: Winamp SHOUTcast server: Gain Administrator Password
daemon@ATHENA.MIT.EDU (Philip Stoev)
Tue Aug 24 18:17:12 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Message-Id: <199908231543.SAA02919@sonata.einet.bg>
Date: Mon, 23 Aug 1999 18:48:31 +0300
Reply-To: Philip Stoev <philip@EINET.BG>
From: Philip Stoev <philip@EINET.BG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> The password is also LOGGED when the web based administration tool is
> used. It can be obtained by simply grep'ing the logfile output. The
> offending line is here:
> <08/20/99@06:11:41> [http:1 my.computer.com]
REQ:"/admin.cgi?pass=joltcola&mode=viewlog" (Mozilla/4.0 (compatible; MSIE
5.0; Windows 98))
It seems that many people still do not get the idea that POST should be
used instead of GET in any situation where authentication takes place via
an HTML page. The GET arguments can show up not only in a web server log,
but in the log of a proxy server standing between the web server and the
person trying to authenticate.
Philip
